Fall 2014 Course Schedule
TPL011: Introduction to C Programming ................................................................................................................................ 2
TPL036: Introduction to Ruby and Rails ................................................................................................................................. 2
TPL064: An Introduction to Computer Vision and Automated Object Recognition ................................................................ 3
TPL103: Introduction to Intel x86-64 ....................................................................................................................................... 4
TPL109: Introduction to ARM (Advanced/Acorn RISC Machine) Architecture & Software Systems ..................................... 5
TPL465: Intermediate Intel x86: Architecture, Assembly, and Applications ........................................................................... 6
TPL477: Introduction to Android Forensics and Security Testing ........................................................................................... 8
TPL482: JSON and JSON Schema ........................................................................................................................................ 9
TST414: Introduction to Bayesian Data Analysis.................................................................................................................. 10
TSV062: Privacy Engineering ............................................................................................................................................... 11
TSV064: Introduction to Hardware Hacking .......................................................................................................................... 12
TSV065: Introduction to Side-Channel Analysis ................................................................................................................... 13
TSV066: Linux/Unix Security ................................................................................................................................................ 14
TSV100: Introduction to Secure Coding ............................................................................................................................... 15
TSV404: Introduction to Vulnerability Assessment ............................................................................................................... 16
TSV427: Introduction to Reverse Engineering Software ...................................................................................................... 17
TSV432: Introduction to Trusted Computing and the Use of Trusted Platform Modules...................................................... 19
TSV436: Secure Code Review ............................................................................................................................................. 19
1|Page
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
TPL011: Introduction to C Programming
Course Description: This course is an introduction to the C programming language. C is primarily a systems programming
language suitable for a wide variety of domains. It is the implementation language of the Linux kernel, many standard Unix utilities,
and is the basis for higher level languages like C++ and Java. This class for people with prior programming experience in any
language, but would like to learn C. It will include instruction as a lecture, with labs interleaved to give students experience in
concepts being taught.
Course Objectives:
•
•
•
•
A basic understanding of the C language and standard library
Understanding of common C programming techniques, including procedural and object oriented approaches
Be able to use the standard socket APIs for Linux and Windows
Be able to do file input and output safely
Format: Presentation, exercises, and labs.
Prerequisites: Previous programming experience.
Target Audience: All MITRE technical staff, and staff applying to the Deep System Security & Trusted Computing Learning Path.
Length: 2 Days
Schedule: December 8-9, 2014 - 8:30am - 4:30pm - EST
Instructor: Collin Hockey (chockey@mitre.org) is a Senior Digital/Microprocessor Hardware Engineer in Bedford in the Electronic
Systems Development Department J82E. Since 2010, Collin has worked multiple projects, including GPS, the Tactical Wireless
Channel Emulator, and most recently on embedded software for the Bistatic Radar portfolio.
TPL036: Introduction to Ruby and Rails
Course Description: This course provides a thorough introduction to the Ruby programming language. Students will explore what
differentiates Ruby from other modern programming languages.
The class will have a strong focus on the tools that Ruby provides to generate logic and build applications with less code than other
programming languages. Once a basic understanding of the Ruby programming language is attained, the class will provide an
introduction to Ruby on Rails.
This is a popular development framework for rapidly creating web applications. Students will leave the class with the tools they need
to create simple Ruby and Rails applications and explore the ecosystem further on their own.
Course Objectives:
•
•
•
•
Install and setup a Ruby and Rails environment
Identify the basics of the Ruby programming language.
Create and configure a Rails application
Develop a basic understanding of programming with Ruby, with the tools necessary to learn more
2|Page
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
• Provide knowledge on the architecture of a Ruby on Rails application, with the ability to create a basic web application using it.
Format: Lecture/Lab
Prerequisites: Experience with an object oriented programming language, such as Java or C#
Target Audience: This course is open to all MITRE technical staff.
Length: 2 Days (14 Hours)
Schedule: 11-Feb-2015 - 12-Feb-2015 (8:30 - 4:30)
Instructor: Andy is an architect and developer on popHealth, a Ruby-based open source platform for calculating clinical quality
measures. The design of popHealth allows the software to calculate quality measures for very large groups of patients in an easily
scalable fashion. Andy is Technical Lead of the current effort to deploy a popHealth prototype installation at VA.
Andy holds a BS in Electrical Engineering from Eastern Nazarene College and an MS in Computer Systems Engineering from Boston
University.
TPL064: An Introduction to Computer Vision and Automated Object
Recognition
Course Description: How can computers understand and interpret the visual world of humans? This course is an introduction to
computer vision and automated object recognition in images and videos. In the simplest terms, computer vision is the exploration of
"teaching machines how to see." Although this field dates back more than forty years, the recent explosive growth of images and
videos has made the challenges of automated image interpretation more exciting and relevant than ever. This course will be a handson exploration of some of the fundamental aspects of computer vision. Topics will include image processing, image segmentation,
facial recognition, automated object recognition and detection. With the help of the instructor, participants will learn to employ the
latest developments in object recognition to build their own recognition systems.
Course Objectives:
• To understand and address the major approaches of basic issues in computer vision
• To develop hands-on experience with the latest automated image and video processing techniques
• Learning about image processing and segmentation, facial recognition, automated object recognition and detection
Format: Presentation, discussion, combined with a hands-on lab component.
Prerequisites: Some programming experience in either C, C++, Python.
Target Audience: Participants interested in learning about image and video processing with some programming skills background.
Length: 2 Days - 14 Hours
Schedule: December 1-2, 2014 - 8:30am - 4:30pm - EST
3|Page
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
Instructor: Mikel Rodriguez (mdrodriguez@mitre.org) is a researcher at MITRE. He was a post-doctoral fellow at the INRIA Willow
team at the Département d'Informatique of Ecole Normale Supérieure in Paris, France. Mikel completed his PhD in Computer Science
at UCF. His research focuses mainly on video interpretation which includes tracking, visual motion analysis, activity recognition, and
crowd behavior analysis. An overview of the computer vision research being done by Mikel Rodriguez and his group can be found at:
www.computervision.mitre.org/research/overview/
TPL103: Introduction to Intel x86-64
Course Description: Intel processors have been a major force in personal computing for more than 30 years. An understanding of
low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand
other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code
optimization, and vulnerability exploitation.
25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent
learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis. This
distribution is partially due to Windows' dominance of the marketplace, but also because the tools on Windows are more mature and
easier to use than those on Linux, allowing for a more gradual introduction for the student.
This class will serve as a foundation for the follow on Intermediate level class. It will teach the basic concepts and describe the
hardware that assembly code deals with. It will also go over many of the most common assembly instructions. Although x86-64 has
hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30
instructions and their variations.
The instructor-led lab work will include:











Stepping through a small program and watching the changes to the stack at each instruction (push, pop, call, ret (return),
mov)
Stepping through a slightly more complicated program (adds lea(load effective address), add, sub)
Understanding the correspondence between C and assembly control transfer mechanisms (for example, goto in C == jmp in
ams)
Understanding conditional control flow and how loops are translated from C to asm (conditional jumps, jge(jump greater
than or equal), jle (jump less than or equal), ja (jump above), cmp (compare), test, etc.)
Boolean logic (and, or, xor, not)
Logical and Arithmetic bit shift instructions and the cases where each would be used (shl (logical shift left), shr (logical
shift right), sal (arithmetic shift left), sar (arithmetic shift right))
Signed and unsigned multiplication and division
Special one instruction loops and how C functions like memset or memcpy can be implemented in one instruction plus setup
(rep stos (repeat store to string), rep mov (repeat mov)
Misc instructions like leave and nop (no operation)
Running examples in the Visual Studio debugger on Windows and the Gnu Debugger (GDB) on Linux
The famous "binary bomb" lab from the Carnegie Mellon University computer architecture class, which requires the student
to do basic reverse engineering to progress through the different phases of the bomb giving the correct input to avoid it
"blowing up." This will be an independent activity.
Course Objectives:
4|Page
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
• Demonstrate to students with programming experience that assembly is not an arcane art, but rather an API which can be learned
like any other.
• Allow students to gain exposure to a core set of Intel x86 architecture and assembly so as to be able to read and understand short
programs in disassembled form.
• Provide exposure to a hands-on environment for both Windows and Linux.
• Describe the techniques for analyzing binary programs with both disassemblers and debuggers.
Format: Instructor-led seminar with detailed handouts and time for extensive class interaction. This class is a video broadcast.
Synchronized audio, video, and presentation materials will be broadcasted to remote student desktops. Return audio from remote
students will be sent to audio speakers in the room, so that the remote students are integrated with the students in the classroom.
Prerequisites: Must be comfortable with C/C++ code and able to read and understand the source for short programs.
Target Audience: The class will provide a base of understanding for the following staff:





Developers who want to understand the correspondence between high level code and machine code.
Staff who want to better understand the low level hardware mechanisms which support binary program execution and
operating system design.
Staff interested in reverse engineering and malware analysis.
Staff interested in vulnerability research and mitigation.
Staff applying to the Deep System Security & Trusted Computing Learning Path.
Length: 2 Days - 14 Hours
Schedule: January 22-23, 2015 - 8:30am - 4:30pm - EST
Instructor: Sam Cornwell (scornwell@mitre.org) is a Senior Cyber Security Engineer at Fort Meade in Defense Cyber Security
Department J83J. Since 2011, Sam has been working on projects such as Checkmate (a kernel and userspace memory integrity
verification and timing-based attestation tool), Copernicus, (a BIOS extractor and configuration checker), and several other private
security sensors designed to combat sophisticated threats. He has also researched and developed attacks against UEFI SecureBoot.
TPL109: Introduction to ARM (Advanced/Acorn RISC Machine)
Architecture & Software Systems
Course Description: Mobile devices based on RISC architectures such as ARM are becoming increasingly ubiquitous inside and
outside sponsor environments. This class will provide an opportunity to examine the ARM processor architecture on which most
mobile phones, and many embedded systems are based.
The class will begin with an intro to the ARM architecture, focusing on the instruction sets (ARM and Thumb instruction sets) and
features like processor modes, interrupts, and pipelining. The class will cover some systems level topics such as how different types
of operating systems like Linux on ARM, and Real-time operating systems are implemented. This will include a lab with the use of
Das U-Boot to boot your own "kernel." Topics will also try to include the basis for userspace-kernel separation on ARM, schedulers,
and virtual memory.
There will be numerous labs, including an ARM port of the CMU Binary Bomb lab, where you perform basic reverse engineering on
a binary. Labs will cover how C code translates to ARM assembly, as well as the changes induced by compiler optimizations. The
class development environment will be the Android development environment; however the code developed will be at the bare-metal
5|Page
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
level, rather than the application level. This will provide experience with both disassembling and debugging ARM assembly. Labs
will also include how to use Das U-Boot bootloader to run a home-made "kernel" or any bare-metal program.
Course Objectives:
• Learn that assembly is not an arcane art, but rather an API which can be learned like any other.
• Gain exposure to a core set of ARM architecture and assembly so as to be able to read and understand short programs in
disassembled form.
• Navigate in a hands-on embedded environment for Linux which Android is built on.
• Identify the techniques for analyzing binary programs with both disassemblers and debuggers.
Format: Lecture and Lab
Prerequisites:
 Ability to read simple C programs.
 Students are strongly encouraged to have taken Introduction to Intel x86: Architecture, Assembly, Applications and Alliteration
Target Audience:





Developers wishing to learn about the deep internals of ARM-based phones
Security researchers
Forensic analysts
Incident responders
People interested in reverse engineering and malware analysis for phones
Length: 2 Days (14 Hours)
Schedule: February 19-20, 2015 (8:30-4:30)
Instructor: Ganu Kini (gkini@mitre.org) graduated from Carnegie Mellon University in 2011 with a Master of Science in
Information Security Technology and Management. While there he had the opportunity to delve further into bare-metal ARM systems,
develop a rudimentary kernel on the Gumstix platform using only the standard C library and look at some properties of a real time OS
and its implications in safety and security critical applications. With a background in electrical engineering and materials science from
Virginia Tech, Ganu has always tinkered with embedded systems since his high school days when he had the chance to participate in
his first U.S. FIRST Robotics competition and has since mentored high school students for the same competition.
TPL465: Intermediate Intel x86: Architecture, Assembly, and Applications
Course Description: Building upon the introductory class (TPL103), this class goes into more depth on topics already learned, and
introduces more advanced topics that dive deeper into how Intel-based systems work.
Topics will include, but are not limited to:



Physical and virtual memory and how a limited amount of physical memory is represented as much more virtual memory
through a multi-level paging system. We will also talk about memory segmentation.
The hardware basis for kernel versus userspace separation and how software transitions between the two. This portion
answers the question of why does x86 have 4 "rings", with ring 0 being the most privileged, and ring 3 being the least.
Hardware and software interrupts, and how they are the basis for debugging.
6|Page
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule

Input/Output instructions and how these allow the CPU to talk to peripherals.
Example applications will include showing how hardware and memory mechanisms are used for software exploits, anti-debug
techniques, rootkit hiding, and direct hardware access for keystroke logging.
We will perform labs on:













Using WinDbg to perform kernel debugging on a virtual machine (which is equally applicable for debugging a real
machine.)
Using a custom WinDbg plugin to examine the Local (memory segment) Descriptor Table (LDT), and Global (memory
segment) Descriptor Table (GDT) in order to understand how Windows sets memory segment ranges and permissions for
userspace and kernel space.
Using WinDbg and the !pte command to understand how Windows organizes its paging structures which map physical
memory to virtual memory.
Investigating where exactly the XD/NX bit is set in order to make memory as non-executable (which Microsoft calls Data
Execution Prevention (DEP)), to prevent some types of exploits from succeeding.
Using the Read Timestamp Counter (RDTSC) instruction to profile code execution time. Also, using a profile of code
execution time to change a program's behavior in the presence of a debugger (e.g., executing different code if the code
appears to have been stopped at a breakpoint.).
Printing information about task state segments, which hold information that is used to find the kernel stack when an
interrupt occurs.
Watching what does and doesn't change when a software interrupt is used to transfer control from userspace to kernel.
Reading the Interrupt Descriptor Table (IDT) and understanding the security implications of changes to it.
Understanding how RedPill uses the IDT in order to detect that a system is virtualized.
Having a process read its own memory when a software breakpoint is set, in order to see how a debugger will change
memory to set the breakpoint but hide the change from the user.
Watch how hardware-based breakpoints manipulate dedicated debug registers.
Using port input/output to access the backdoor communications channel that VMWare uses in order to send copy/paste,
mouse movement, and other events in and out of a VM.
Using port I/O in order to talk directly to the PS2 keyboard controller in order to sniff keystrokes or flash keyboard LEDs.
Course Objectives:
•
•
•
•
Understand that assembly is not an arcane art, but rather an API that can be learned like any other.
Cover more of the most frequently used hardware mechanisms.
Learn new assembly instructions.
Apply new skills to interesting examples.
Format: Presentation, exercises, and labs.
Prerequisites:



Must be comfortable with C/C++ code and able to read and understand short C/C++ programs.
Must be comfortable with C/C++ pointers.
Must have taken the introductory class (TPL103) or demonstrate equivalent knowledge to the instructor.
Target Audience:
7|Page
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule





Developers who want to understand the correspondence between high level code and machine code.
Staff who want to better understand the low level hardware mechanisms which support binary program execution and
operating system design.
Staff interested in reverse engineering and malware analysis.
Staff interested in vulnerability research and mitigation.
Staff applying to the Deep System Security & Trusted Computing Learning Path.
Length: 2 Days - 14 Hours
Schedule: February 9-10, 2015 8:30am - 4:30pm - EST
Instructor: Xeno Kovah graduated from Carnegie Mellon University in 2007 with a Masters of Science in Information Security
Technology and Management. While there he researched worms, bots, and malware. While taking the highly regarded Operating
Systems class, in which students build an OS from scratch, he gained a greater appreciation of how the capabilities provided by
hardware influence the software abstractions built above them. Xeno also studied computer science and electrical engineering at the
University of Minnesota. There he approached assembly both from software down, in CS classes, and from hardware up, in EE
classes. Xeno has experience with 4 other assembly languages beyond x86: PowerPC, ARM, SPARC, and M68HC12.
TPL477: Introduction to Android Forensics and Security Testing
Course Description: This course will cover the most common issues facing mobile devices, and general tips for securing mobile
applications. Upon completion of general mobile security overview, the course will delve into a proven practice in Mobile Device
Forensics and Mobile Application Penetration Testing for Android devices. Over the two-day course, students will get hands-on time
with open-source and commercial forensics tools, setup and explore reverse engineering development environments, and experience
the process with which G020 mobile security engineers have successfully applied to several projects. Areas covered include,
identifying application vulnerabilities, code analysis, memory & file system analysis, and insecure storage of sensitive data.
Course Objectives:
• Identify common issues and general tips for securing mobile applications
• Conduct forensics on Android devices
• Conduct a penetration test on an Android application
Format: Presentation, exercises, and labs.
Prerequisites: Development experience with Android and Eclipse, Windows command line and Linux/UNIX terminal.
Target Audience: Software Engineers developing Android applications, InfoSec Engineers conducting security assessments or
engineering of Android applications and staff applying to the Mobile System Security Android Learning Path.
Length: 2 Days - 14 Hours
Schedule: December 9-10, 2014 - 8:30am - 4:30pm - EST
Instructor: Jared Ondricek (jondricek@mitre.org). Jared is a Cyber Security Engineer with The MITRE Corporation who has a
passion for everything related to mobile security. He has experience with reverse engineering applications and malware on several
platforms, doing forensics analysis, and working in both research and incident response environments. Additionally he presented at
DFRWS 2013 on "Detecting Maliciousness Using Periodic Mobile Forensics" from the MITRE Innovation Program. If he isn't
reading up on the latest Android security threats, then he is either developing methods to automate the analysis process of unknown
8|Page
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
files, finding best practice ways of sharing analysis results and tools with others, or tinkering with the Android operating system
source code. He is pursuing an MS in Computer Science at The George Washington University and he received his BS in Computer
Information Technology from Brigham Young University - Idaho.
TPL482: JSON and JSON Schema
Course Description: JSON is a data format that is increasingly being used for data exchanges due to its compactness. JSON
Schema is a simple, powerful schema language for validating JSON-formatted data. In this course you will learn the JSON data
format and you will learn the JSON Schema language. You will learn how to write JSON documents. You will learn how to create
JSON Schemas and validate JSON documents against JSON Schemas.
Format: Lecture/Lab
Prerequisites: None
Target Audience: All MITRE Staff
Length: Two Days
Schedule: 3-Feb-2015 - 4-Feb-2015 (8:00 - 4:00)
Instructor: Roger Costello (costello@mitre.org) is a lead staff in E54C, Agile and Adaptive Software Engineering. He has worked
extensively in the Internet technologies area. Roger has been actively involved with XML and the entire family of XML technologies
for several years. Roger has created and taught over a dozen different courses on the XML technologies and is regularly invited to talk
at XML conferences. He has traveled to many of the MITRE sites around the world, providing XML training. Roger is regularly
invited to teach XML courses to the Boston chapter of the IEEE.
9|Page
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
As well as XML training, Roger consults for numerous MITRE projects that are using XML technologies. He has a Ph.D. in
Computer Science from Ohio State University.
TST414: Introduction to Bayesian Data Analysis
Course Description: Data analysis is the process of making inferences from data. This process is very familiar to MITRE staff, so
that most would claim that they know all about it, or at least enough about it to get their work done.
Inferential methodology, however, has undergone a major revolution over the past twenty years due primarily to advances in
computer hardware and software. The result has been a new, updated Bayesian approach.
This course provides an overview of this new methodology with enough detail to enable you to continue pursuing the subject on your
own. The focus is on developing mathematical models from data.
Contemporary Bayesian methodology is far more powerful and intuitive than traditional alternatives but it is not a black-box
algorithm. There are no canned formulas with this approach and no "quick-and-dirty" answers.
Topics covered will include:







Reasons why inferential methodology is changing
Essentials of the new paradigm
Computational procedures, especially Markov Chain Monte Carlo (MCMC)
Several detailed examples
Comparison of new and old techniques
Suggestions for computer programming
A brief look at available software and other resources
Course Objectives:
•
•
•
•
Understand the nature of Bayesian methodology and why it is gradually supplanting traditional approaches to inference
Have a better appreciation of the range of data analysis problems that are solvable and the effort needed to solve them
Be aware of the various procedures involved in Bayesian inference and the nature of their output
Know enough about the relevant mathematics and computer programming to assess the feasibility of doing similar studies on their
own
• Know what further resources are available and where to find them
Format: Lecture
Prerequisites: Experience in data analysis is necessary to provide a context for the new material. Although we shall not actually do
any mathematics, students should have a background that includes basic statistics and calculus, at least to the extent that the concepts
and symbology be familiar. Computer programming experience would be helpful but is not required.
Target Audience: All MITRE Technical Staff
Length: 2 days (14 hours)
Schedule: 2-Dec-2014 - 3-Dec-2014 (8:30 - 4:30)
10 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
Instructor: Michael P. McLaughlin, a native of Portland, Maine, holds several academic degrees: B.S. in Chemistry, Seattle
University (1966), M.Sc. and Ph.D. in Organic Chemistry, Univ. of Massachusetts (Amherst) (1970, 1977), Ap. Sc. in Computer
Heuristics, Modeling and Numerical Methods, George Washington University (1987).
In 1966-68 and 1971-75, he lived in Ghana, West Africa where he taught high school and college-level chemistry, first as a Peace
Corps volunteer and, later, as a contract teacher.
Before coming to MITRE, in 1980, Dr. McLaughlin was Asst. Professor of Chemistry at Indiana University. He first joined MITRE as
an MTS in the Environment Division and is currently working in CAASD, on GPS/WAAS. Outside of MITRE, he is a Macintosh
software developer, occasional writer and webmaster of two websites.
More details can be found in the Bio section of Dr. McLaughlin's personal webpage:
http://www.geocities.com/~mikemclaughlin/Bio.html
TSV062: Privacy Engineering
Course Description: This class is the first half-day session of a full day on Privacy. This morning class will focus on Privacy
Engineering, while the afternoon class (TSV063) will focus on privacy for health care systems. If you manage projects where
Personally Identifiable Information (PII) is collected and/or used either by MITRE or by sponsors, then you will want to attend the
morning session. If you or your sponsors work with health care systems or data, then you will want to apply to attend both the
morning (TSV062) and afternoon (TSV063) classes.
Mission-critical privacy issues continue to be challenges. One solution is Privacy by Design (PbD), a set of principles which
advocates that privacy be the default mode of operation for organizations and systems. MITRE's Privacy Community of Practice
(CoP) is leading the way with its recently developed Privacy Engineering Framework, which aims to make PbD a usable and
repeatable tool for use both by MITRE and sponsors by taking a systems engineering approach to PbD. This session will discuss the
concept of PbD and the Privacy Engineering Framework and will cover other privacy-related issues and practices in the design and
implementation of information technologies, including what to do to ensure that NIST SP 800-53 Rev 4 Appendix J Privacy Controls
are addressed within sponsor systems. Attending this session will enable you to ensure that appropriate actions are being followed to
embed privacy into technology and processes.
Course Objectives:
• Understand the concept of privacy and the importance of developing privacy into systems from the beginning
• Understand what Privacy by Design (PbD) is and its usefulness for the federal government
• Understand how to use the Privacy Engineering Framework at MITRE and with sponsors to take a systems engineering approach
to privacy
• Understand how privacy can be integrated into the different stages of the systems engineering life cycle
Format: Presentation and classroom interaction.
Prerequisites: None
Target Audience: All MITRE staff and managers, particularly those working with system engineering concepts or programs that
handle PII.
Length: ½ Day
11 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
Schedule: December 4, 2014 - 8:30am - 12:00pm - EST
Instructor: Catherine M. Petrozzino (cmp@mitre.org) (J83B), CIPP/US/G/IT is a Senior Information Privacy and Cyber Security
Consultant at the MITRE Corporation. She has 25+ years of experience in information technology - the last 20 of which were focused
on information security and privacy. Ms. Petrozzino is a senior leader for MITRE's privacy community of practice and currently
supports healthcare-related privacy and security research and assists with the identification and management of privacy risk for
MITRE and for external sponsors - particularly in the area of protected health information and other types of personal medical
information. She led/supported the development and design of privacy-enhancing tools that are actively being used by different
sponsor organizations to support their privacy programs and systems development. Her past responsibilities included overseeing
MITRE's DoD privacy work...Prior to MITRE, Ms. Petrozzino was a member of the information security and privacy teams for John
Hancock Financial Services. Her responsibilities included ensuring John Hancock's IT systems were compliant with HIPAA and
Gramm-Leach-Bliley (GLB). She holds a B.A. in Mathematical Sciences from Johns Hopkins University, and an M.S. in Computer
Science from Northeastern University. She has served as one of the lead faculty for the IAPP's Privacy Training Program
Stuart S. Shapiro (sshapiro@mitre.org) (J83B) is a Principal Information Privacy and Security Engineer at MITRE and has supported
a wide range of privacy and security activities involving, among others, critical infrastructure protection, policy frameworks, risk and
control assessment, and incident response. In particular, he has led multiple research and operational efforts in the areas of privacy
engineering, privacy risk management, and privacy-enhancing technologies (PETs). He has written and presented on privacy
engineering (and the related Privacy by Design), privacy risk modeling, and PETs in numerous forums and participates in multiple
privacy-relevant standards efforts. Among his professional affiliations are the International Association of Privacy Professionals
(IAPP), the Advisory Board of the Ponemon Institute¿s Responsible Information Management Council, and the US Public Policy
Council of the Association for Computing Machinery (USACM) where he currently serves as Co-Vice-Chair.
Kris Miller (kmiller@mitre.org) is a Principal Privacy Strategist within the Enterprise Strategy and Transformation (ES&T) division at
the MITRE Corporation. Kris¿s practice focuses on domestic and international policy development, strategic privacy planning,
enterprise data governance, legal and regulatory compliance, and the development of federal information technology (IT) systems that
incorporate privacy-by-design. Kris has been a trusted advisor to government executives in the Department of Defense (DoD), the
Department of Health and Human Services (HSS), the Veterans Administration (VA), and the Department of Homeland Security
(DHS). Kris's matters span US federal laws - including the Privacy Act of 1974, the e-Government Act of 2002, and the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) - to state privacy laws and international privacy regimes, particularly
in the European Union (EU). In the healthcare space, Kris helped CMS (CCIIO) draft data sharing agreements to facilitate operation
of the Affordable Care Act, led the Prescription Drug Management Program project law and Policy Work Group, co-authored the
book Information Privacy in the Evolving Healthcare Environment, and he currently leads MITRE's privacy and security work for the
Office of the National Coordinator for Health IT (ONC), it's Chief Privacy Officer, and related FACA committee working groups
focused on privacy, security, and transport. Kris is licensed to practice law in both New York and Connecticut, and he is a Certified
Information Privacy Professional with specific qualifications in US Government and EU privacy (CIPP/G and CIPP/E).
TSV064: Introduction to Hardware Hacking
Course Description: Embedded devices are all around us. They’re in our homes, our cars, our workplaces, on our bodies, on our
roads and in our airspace. Embedded devices are literally everywhere. Gartner estimates 26 billion devices by 2020. Traditionally,
these devices have been isolated but current and future trends are to interconnect these devices to form the Internet of Things. This
interconnectedness increases the importance of securing these devices.
Introduction to hardware hacking is a course with the following goals:
1) Introduction to embedded systems
2) Presentation of techniques an attacker may utilize to reveal the inner workings of an embedded system
3) Some discussion of how this knowledge can be leveraged to subvert intended system behavior
The course will include several labs to reinforce concepts.
12 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
Course Objectives:
•
•
•
•
•
•
•
Embedded system basics
Basic soldering technique
Board analysis methodology
Identification of peripherals, data buses, diagnostic ports and tap points
Device instrumentation
Bus monitoring and decoding
Development access via JTAG
Format: Lecture and labs.
Prerequisites: None
Target Audience: This course is open to all MITRE technical staff.
Length: 2 Days (14 Hours)
Schedule: March 9-10, 2015 (8:30-4:30)
Instructor: Chris Korban (ckorban@mitre.org) is a Sr. Cyber Security Engineer in Department J83J - Defense Cyber Security.
Bob Heinemann (rheinemann@mitre.org) is a Lead Multi-Discipline Systems Engineer in Department J52B - Cyber Operations.
TSV065: Introduction to Side-Channel Analysis
Course Description: During the last 15 years, it has been widely demonstrated that electronic devices leak information about their
internal state as they perform computations, presenting a major security threat to embedded systems. This information leakage can be
observed through so-called "side-channels" such as system timing, power consumption, electromagnetic radiation, and many others.
The development of side-channel attacks that exploit this information leakage to compromise otherwise secure algorithms continues
to be an active field of research. Are your systems vulnerable to such an attack?
This course is an introduction to the threat of side-channel attacks, how they work in theory and practice, and how to defend against
them. Topics include:





Simple power and electromagnetic analysis (SPA/SEMA)
Differential power and electromagnetic analysis (DPA/DEMA)
Signal Processing
Countermeasures
Side-channel analysis tools and data acquisition hardware
During the course students will complete hands-on exercises to gain a better understanding of how side-channel attacks work, the
difficulty of conducting various attacks, and the effectiveness of various countermeasures. Students will have an opportunity to
collect their own side-channel data on a real embedded target and modify the code running on the target. Students will benefit from
having some prior familiarity with the programming languages Python and C, as most of the analysis tools are written in Python and
the target code is written in C.
This class will serve as a prerequisite for a later class on advanced side-channel analysis.
13 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
Course Objectives:
• Provide detailed knowledge on the threat of side-channel attacks and how to understand their potential impact on overall system
security.
• Demonstrate how basic side-channel attacks work
• Introduce countermeasures to defend against these basic attacks
• Discuss advanced side-channel attacks and how the side-channel threat is evolving
• Provide insight on the impact of security architectures on end device security requirements
Format: Lecture, demos, and lab exercises.
Prerequisites: None, however, some programming experience with Python and C would be helpful.
Target Audience: This course is open to all MITRE technical staff.
Length: 2 Days (14 Hours)
Schedule: June 8-9, 2015 (8:30-4:30)
Instructor: Adam Woodbury (awoodbury@mitre.org ) is a Digital/Micro HW Eng, Principle in Department J82E - Electronic Sys
Development. He is actively involved in the development of J82E's Secure Electronic Lab, which has advanced capabilities for
researching implementation security issues such as side-channel leakage, fault induction, and trusted hardware.
Dan has worked in the area of embedded systems since arriving at MITRE in 2006. He is the principle investigator on the IESC MIP,
which is developing tools to help evaluate and protect software against side-channel attacks.
Joseph Chapman (jchapman@mitre.org) is a Digital/Micro HW Eng, Lead in Department J82E - Electronic Sys Development. He is
actively involved in the development of J82E's Secure Electronic Lab, which has advanced capabilities for researching
implementation security issues such as side-channel leakage, fault induction, and trusted hardware.
Joe has worked at MITRE since 2005 and has worked on a variety of projects concerning signal processing and embedded security.
He is currently working on developing tools to integrate side-channel attack threat evaluation into the FPGA and ASIC design process
to enable automated threat analysis and countermeasure validation.
Daniel Walters (dwalters@mitre.org) is a Digital/Micro HW Eng, Lead in Department J82E - Electronic Sys Development. He is
actively involved in the development of J82E's Secure Electronic Lab, which has advanced capabilities for researching
implementation security issues such as side-channel leakage, fault induction, and trusted hardware.
Dan has worked in the area of embedded systems since arriving at MITRE in 2006. He is the principle investigator on the IESC MIP,
which is developing tools to help evaluate and protect software against side-channel attacks.
TSV066: Linux/Unix Security
Course Description: This course is a hands-on introduction to Linux/Unix security fundamentals that are critical to cyber security.
Curriculum will start from basic host security, working up to Security-Enhanced Linux (SELinux) and Mandatory Access Control
(MAC) configuration. This course will be designed to fill in knowledge gaps for attendees. Attendees with all levels of technical
backgrounds will benefit from this class.
14 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
Critical components include audit configuration, data encryption, securely managing system resources, kernel security and managing
privileges. Each component will be examined on both Linux based systems (CentOS) and Unix/BSD based systems (FreeBSD) to
further enhance the learning process by showing different ways to address similar problems.
The class will incorporate hands-on exercises and labs. Students will gain an understanding of host based security configuration
concepts. These concepts will be demonstrated by student labs based on common misconfigurations that students must address by
applying concepts learned throughout the class. The class will culminate when students are asked to secure a system that has been
preconfigured with bugs that have been stacked to form an insecure user environment.
It is expected that attendees will have knowledge in one or more topics covered in the class. This class is meant to fill in gaps and
allow students to build on their previous knowledge to become more technically skilled cyber security professionals. Solid
foundational knowledge will allow students to easily understand more advanced topics. The technical confidence students will gain
in this class will allow them to quickly tackle technical hurdles in their day-to-day work. We need more ¿ninjas¿ in MITRE tech
centers, who are not intimidated by the unknown, and have a broad technical background, enabling them to overcome adversity to
solve critical cyber security problems.
Course Objectives:
•
•
•
•
•
•
•
Introduce Linux host based security
Review security options available to a Linux/Unix host
Review auditing options available to a Linux/Unix host
Learn fundamentals of Mandatory Access Control (MAC)
Learn how to implement privilege separation for users and processes
Understand security implications of default Linux/Unix configurations
All attendees will apply all knowledge through lab exercises during the course
Format: Lab
Prerequisites: Minimal networking, system administration, and/or cyber security knowledge.
Target Audience:




Junior tech staff
Senior tech staff that have found themselves working in a lab
Engineers changing disciplines to cyber security
Engineers in other fields supporting cyber work.
Length: 2 Days (14 Hours)
Schedule: February 5-6, 2015 (8:30-4:30)
Instructor: Derek Anderson (danderson@mitre.org) is a Lead Cyber Security Engineer in Department J83C - Army/Navy Security.
He supports various customers performing vulnerability assessments and prototype development. Previous to MITRE, he worked in a
world-class managed security service SOC as a Security Analyst. Derek holds a BS in Information Technology from Rochester
Institute of Technology and is currently enrolled in a Masters program in Information Assurance at Capitol College.
TSV100: Introduction to Secure Coding
15 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
Course Description: The purpose of this course is to provide developers at MITRE with focused training related to secure coding.
The hope is that each developer will leave the course with a better understanding of how they can improve, from a security
perspective, the code that they write. This course provides a look at some of the most prevalent security related coding mistakes
made here at MITRE. Each type of issue is explained in depth including how a malicious user may attack the code, and strategies for
avoiding the issues are then reviewed. Knowledge of at least one programming language is required, although the specific
programming language is not important as the concepts that will be discussed are language independent. The course will cover many
of the weaknesses within the context of a web application, but most of the concepts will apply to all application development.
Course Objectives:
• Reinforce the importance of secure coding
• Identify the most common code level weaknesses within MITRE
• Provide an overview of each weakness type including examples within code (weaknesses include cross-site scripting, SQL
injection and bypassing authorization checks)
• Demonstrate how malicious users will exploit these weaknesses
• Discuss techniques to avoid each weakness
• Provide an overview of internal and external resources available to developers
Format: This one-day course is setup as an exploration through a hypothetical web application where a malicious user attempts to
take advantage of certain flaws within the code. Throughout the course, we will be identifying the flaws, discussing them,
understanding the specific attacks, and finally discussing how to improve the code to prevent the attack.
Prerequisites: Participants must have working knowledge and experience writing code and developing applications. A specific
programming language is not required as the concepts that will be discussed are language independent.
Target Audience: This course is open to MITRE technical staff that develop code and wish to increase their understanding of secure
coding. Staff attending this course may be asked to participate in hands on course work and activities.
Length: 1 Day, 7 hours
Schedule: 12-Nov-2014 (Session 0013)
Schedule: 13 April 2015 (Session 0015)
Instructor: Drew Buttner has been at MITRE since 2001 and is one of the leaders of MITRE's software assurance work program in
support of both MITRE internal and its Government sponsors. His experience and technical expertise is in the areas of code
development, standardization, and static code analysis. The past couple of years he has provided support to both the Department of
Defense and NIST in their research of static analysis tools. Currently he is working to establish a secure code review practice for the
MITRE Community.
Larry Shields is a principal InfoSec Engineer with G022, working in MITRE InfoSec. Conducting code reviews for MITRE developed
applications is one of the many tasks on his plate. Prior to coming to MITRE, Larry spent many years running code reviews,
conducting penetration testing, and teaching application security courses for Fidelity Investments. He is a Certified Information
Systems Security Professional (CISSP), and has been a contributor to the Open Web Application Security Project (OWASP).
TSV404: Introduction to Vulnerability Assessment
16 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
Course Description: The purpose of this course on Vulnerability Assessment is to demonstrate how to identify vulnerabilities in a
computer network, determine how a cyber attacker might exploit these vulnerabilities, and examine how the vulnerabilities might be
mitigated. A methodology is presented in the course for conducting vulnerability assessments for MITRE sponsors. The methodology
lays out an orderly approach for conducting a vulnerability assessment and demonstrates numerous tools and techniques in an
isolated computer laboratory setting to examine such problems through penetration testing.
**The course content may be subject to slight changes.**
Course Objectives:
•
•
•
•
•
•
•
Learn a general methodology for conducting assessments
Scan and mapping network topology
Identify listening ports/services on hosts
Fingerprint operating systems remotely
Learn methodology/best practices for audit of router, switch, and firewalls
Learn methodology/best practices for audit UNIX and Windows security
Learn methodology/best practices for web application security assessments
Format: This three-day course has lectures and demonstrations to provide the conceptual approach to vulnerability assessments and
laboratory time to use various tools and techniques to understand the enumeration and identification phases of a security assessment.
Prerequisites: Participants should have a good to excellent understanding of the UNIX and Windows operating systems. They should
have a good understanding of the TCP/IP protocol suite. For example, they should be familiar with TCP, IP, UDP, and ICMP packet
header formats and how these protocols are used. Programming experience in Perl and/or C is desired. They should also have a
general background in computer and/or network security and understand general approaches to policies and procedures for developing
a security plan for an installation or facility or agency.
Target Audience: This course is open to MITRE technical staff who wish to increase their understanding of the vulnerability
assessment process and techniques. Staff completing this course may be asked to contribute to sponsor tasks involving vulnerability
assessments.
Length: 3 days, 21 hours
Schedule: 2-Dec-2014 - 4-Dec-2014 (8:30 - 4:30)
Instructor: Nathan Adams (nadams@mitre.org) is Principal Information Security Engineer and the primary focal point for the
Security Testing Community of Practice within MITRE. He has been leading and providing security testing activities including
penetration testing, vulnerability assessments, and security test and evaluations to federal organizations including the DoD,
Intelligence Community, and several federal civil agencies since 2001. He holds an M.S. in Computer Science from Colorado
Technical University and is a Certified Information Systems Security Professional (CISSP).
TSV427: Introduction to Reverse Engineering Software
Course Description: Throughout the history of invention curious minds have sought to understand the inner workings of their
gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their
elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated
and incompatible software, understanding malicious code, or exploiting weaknesses in software.
17 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it.
Topics include, but are not limited to:








Uses for RE
The tricks and pitfalls of analyzing compiled code
Identifying calling conventions
How to navigate x86 assembly using IDA Pro
Identifying Control Flows
Identifying the Win32 API
Using a debugger to aid RE
Dynamic Analysis tools and techniques for RE
During the course students will complete many hands on exercises.
This class will serve as a prerequisite for a later class on malware analysis.
Course Objectives:
• Provide detailed knowledge on RE methodology and tools
• Demonstrate how to navigate x86 assembly code while avoiding tangents
• Prepare students for follow on courses in Malware and Vulnerability Analysis
Format: Lecture/lab
Prerequisites:




An introductory course on x86 assembly such as TPL103. TPL465 Intermediate x86 is also recommended.
Must be comfortable with the C programming language.
An understanding of the Microsoft Portable Executable & Common Object File Format (PE-COFF), such as is conveyed in
the TSV424 Life of Binaries class.
Experience with Python a plus.
Target Audience:




Developers who want to understand the correspondence between high-level code and machine code.
Staff who want to better understand the low level hardware mechanisms which support binary program execution and
operating system design.
Staff interested in reverse engineering and malware analysis.
Staff interested in vulnerability research and mitigation.
Length: Two days (14 hours)
Bedford Schedule: 23-Feb-2015 - 24-Feb-2015 (8:30 - 4:30)
For more information: Contact Bo Kaufmann at 781.271.3112.
18 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
Instructor: Frank Posluszny has been supporting computer network defense teams focused on targeted (APT/ACT) attacks since
2008. His current role supports security engineering, performs malware analysis, and reverse engineers malware command and control
(C2) protocols. He has contributed to open source projects, including the Zero Wine Tryouts malware analysis suite. He has a BS and
an MS in Computer Science from Worcester Polytechnic Institute, where he focused on networking and systems security.
TSV432: Introduction to Trusted Computing and the Use of Trusted
Platform Modules
Course Description: This course is an introduction to the fundamental technologies behind Trusted Computing. You will learn
what Trusted Platform Modules (TPMs) are and what capabilities they can provide both at an in-depth technical level and in an
enterprise context. You will also learn about how other technologies such as the Dynamic Root of Trust for Measurement (DRTM)
and virtualization can both take advantage of TPMs and be used to enhance the TPM's capabilities. We will cover major use cases for
trusted computing, including machine authentication, data protection, and attestation. This course will also introduce you to the
various software resources that exist today to support TPMs, give a high-level overview of related research and development
projects, and briefly discuss other trusted computing standards such as Trusted Network Connect which may be relevant to enterprise
deployment of TPMs and trusted computing.
Course Objectives:
• Introduce students to both basic and advanced TPM capabilities, as well as other trusted computing standards and technologies
• Show how TPMs and related technologies can be used in enterprise environments and for cutting-edge research
• Give students the necessary tools and information to design and build systems that take advantage of trusted computing
Format: This class is presentations, discussions, and demonstrations.
Prerequisites: Familiarity with the basic principles of cryptography and security will help as will hearing about hashes, public and
private keys, discussion of integrity or authenticity, and so forth.
Target Audience: Engineers and system designers who may need to use TPMs or trusted computing in upcoming projects. People
who have heard about TPMs and Trusted Computing but don't really know whether it's useful to them or what it's good for. Enterprise
system designers who are concerned about out-of-date software, stolen certificates, or unauthorized machines and are looking for
possible solutions. Staff applying to the Deep System Security & Trusted Computing Learning Path.
Length: 2 Days - 14 Hours
Schedule: March 26-27, 2015 - 8:30am - 4:30pm - EST
Instructor: Xeno Kovah graduated from Carnegie Mellon University in 2007 with a Masters of Science in Information Security
Technology and Management. While there he researched worms, bots, and malware. While taking the highly regarded Operating
Systems class, in which students build an OS from scratch, he gained a greater appreciation of how the capabilities provided by
hardware influence the software abstractions built above them. Xeno also studied computer science and electrical engineering at the
University of Minnesota. There he approached assembly both from software down, in CS classes, and from hardware up, in EE
classes. Xeno has experience with 4 other assembly languages beyond x86: PowerPC, ARM, SPARC, and M68HC12.
TSV436: Secure Code Review
Course Description: This course is designed to help developers bring a secure coding mindset into typical project peer reviews.
The course briefly talks about the development lifecycle and the importance of peer reviews in delivering a quality product. How to
19 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED
Fall 2014 Course Schedule
perform this review is discussed and how to keep secure coding a priority during the review is stressed. A variety of hands-on
exercises will address common coding mistakes, what to focus on during a review, and how to manage limited time.
Throughout the course, the class will break out into pairs and perform example peer reviews on sample code. Perl will be used for the
hands-on exercises; however every attempt will be made to generalize the code such that anyone with an understanding of a coding
language will be comfortable.
Course Objectives:
•
•
•
•
•
Describe how peer reviews fit into the software development process
Start a peer review and gain the necessary background about the code
Identifty techniques for making sense of a large amount of code
Review common secure coding mistakes
Create report findings that go back to the developer
Format: Lecture plus team exercises
Prerequisites: TSV100 Introduction to Secure Coding
Target Audience: Developers
Length: One day (7 hours)
Schedule: 29-Jan-2015 (Session 0005)
Schedule: 7-May-2015 (Session 0006)
Instructor: Drew Buttner has been at MITRE since 2001 and is one of the leaders of MITRE's software assurance work program in
support of both MITRE internal and its Government sponsors. His experience and technical expertise is in the areas of code
development, standardization, and static code analysis. The past couple of years he has provided support to both the Department of
Defense and NIST in their research of static analysis tools. Currently he is working to establish a secure code review practice for the
MITRE Community.
20 | P a g e
Approved for Public Release; Distribution Unlimited. Case Number 14-3731
©2014 The MITRE Corporation. ALL RIGHTS RESERVED