fall 2014 course schedule - mitre corporation · course description: mobile devices based on risc...

Fall 2014 Course Schedule

1 | P a g e

Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED

TPL011: Introduction to C Programming ................................................................................................................................ 2

TPL036: Introduction to Ruby and Rails ................................................................................................................................. 2

TPL064: An Introduction to Computer Vision and Automated Object Recognition ................................................................ 3

TPL103: Introduction to Intel x86-64 ....................................................................................................................................... 4

TPL109: Introduction to ARM (Advanced/Acorn RISC Machine) Architecture & Software Systems ..................................... 5

TPL465: Intermediate Intel x86: Architecture, Assembly, and Applications ........................................................................... 6

TPL477: Introduction to Android Forensics and Security Testing ........................................................................................... 8

TPL482: JSON and JSON Schema ........................................................................................................................................ 9

TST414: Introduction to Bayesian Data Analysis.................................................................................................................. 10

TSV062: Privacy Engineering ............................................................................................................................................... 11

TSV064: Introduction to Hardware Hacking .......................................................................................................................... 12

TSV065: Introduction to Side-Channel Analysis ................................................................................................................... 13

TSV066: Linux/Unix Security ................................................................................................................................................ 14

TSV100: Introduction to Secure Coding ............................................................................................................................... 15

TSV404: Introduction to Vulnerability Assessment ............................................................................................................... 16

TSV427: Introduction to Reverse Engineering Software ...................................................................................................... 17

TSV432: Introduction to Trusted Computing and the Use of Trusted Platform Modules...................................................... 19

TSV436: Secure Code Review ............................................................................................................................................. 19


2 | P a g e


TPL011: Introduction to C Programming

Course Description: This course is an introduction to the C programming language. C is primarily a systems programming

language suitable for a wide variety of domains. It is the implementation language of the Linux kernel, many standard Unix utilities,

and is the basis for higher level languages like C++ and Java. This class for people with prior programming experience in any

language, but would like to learn C. It will include instruction as a lecture, with labs interleaved to give students experience in

concepts being taught.

Course Objectives:

• A basic understanding of the C language and standard library

• Understanding of common C programming techniques, including procedural and object oriented approaches

• Be able to use the standard socket APIs for Linux and Windows

• Be able to do file input and output safely

Format: Presentation, exercises, and labs.

Prerequisites: Previous programming experience.

Target Audience: All MITRE technical staff, and staff applying to the Deep System Security & Trusted Computing Learning Path.

Length: 2 Days

Schedule: December 8-9, 2014 - 8:30am - 4:30pm - EST

Instructor: Collin Hockey ([email protected]) is a Senior Digital/Microprocessor Hardware Engineer in Bedford in the Electronic

Systems Development Department J82E. Since 2010, Collin has worked multiple projects, including GPS, the Tactical Wireless

Channel Emulator, and most recently on embedded software for the Bistatic Radar portfolio.

TPL036: Introduction to Ruby and Rails

Course Description: This course provides a thorough introduction to the Ruby programming language. Students will explore what

differentiates Ruby from other modern programming languages.

The class will have a strong focus on the tools that Ruby provides to generate logic and build applications with less code than other

programming languages. Once a basic understanding of the Ruby programming language is attained, the class will provide an

introduction to Ruby on Rails.

This is a popular development framework for rapidly creating web applications. Students will leave the class with the tools they need

to create simple Ruby and Rails applications and explore the ecosystem further on their own.

Course Objectives:

• Install and setup a Ruby and Rails environment

• Identify the basics of the Ruby programming language.

• Create and configure a Rails application

• Develop a basic understanding of programming with Ruby, with the tools necessary to learn more


3 | P a g e


• Provide knowledge on the architecture of a Ruby on Rails application, with the ability to create a basic web application using it.

Format: Lecture/Lab

Prerequisites: Experience with an object oriented programming language, such as Java or C#

Target Audience: This course is open to all MITRE technical staff.

Length: 2 Days (14 Hours)

Schedule: 11-Feb-2015 - 12-Feb-2015 (8:30 - 4:30)

Instructor: Andy is an architect and developer on popHealth, a Ruby-based open source platform for calculating clinical quality

measures. The design of popHealth allows the software to calculate quality measures for very large groups of patients in an easily

scalable fashion. Andy is Technical Lead of the current effort to deploy a popHealth prototype installation at VA.

Andy holds a BS in Electrical Engineering from Eastern Nazarene College and an MS in Computer Systems Engineering from Boston

University.

TPL064: An Introduction to Computer Vision and Automated Object Recognition

Course Description: How can computers understand and interpret the visual world of humans? This course is an introduction to

computer vision and automated object recognition in images and videos. In the simplest terms, computer vision is the exploration of

"teaching machines how to see." Although this field dates back more than forty years, the recent explosive growth of images and

videos has made the challenges of automated image interpretation more exciting and relevant than ever. This course will be a hands-

on exploration of some of the fundamental aspects of computer vision. Topics will include image processing, image segmentation,

facial recognition, automated object recognition and detection. With the help of the instructor, participants will learn to employ the

latest developments in object recognition to build their own recognition systems.

Course Objectives:

• To understand and address the major approaches of basic issues in computer vision

• To develop hands-on experience with the latest automated image and video processing techniques

• Learning about image processing and segmentation, facial recognition, automated object recognition and detection

Format: Presentation, discussion, combined with a hands-on lab component.

Prerequisites: Some programming experience in either C, C++, Python.

Target Audience: Participants interested in learning about image and video processing with some programming skills background.

Length: 2 Days - 14 Hours



4 | P a g e


Instructor: Mikel Rodriguez ([email protected]) is a researcher at MITRE. He was a post-doctoral fellow at the INRIA Willow

team at the Département d'Informatique of Ecole Normale Supérieure in Paris, France. Mikel completed his PhD in Computer Science

at UCF. His research focuses mainly on video interpretation which includes tracking, visual motion analysis, activity recognition, and

crowd behavior analysis. An overview of the computer vision research being done by Mikel Rodriguez and his group can be found at:

www.computervision.mitre.org/research/overview/

TPL103: Introduction to Intel x86-64

Course Description: Intel processors have been a major force in personal computing for more than 30 years. An understanding of

low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand

other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code

optimization, and vulnerability exploitation.

25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent

learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis. This

distribution is partially due to Windows' dominance of the marketplace, but also because the tools on Windows are more mature and

easier to use than those on Linux, allowing for a more gradual introduction for the student.

This class will serve as a foundation for the follow on Intermediate level class. It will teach the basic concepts and describe the

hardware that assembly code deals with. It will also go over many of the most common assembly instructions. Although x86-64 has

hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30

instructions and their variations.

The instructor-led lab work will include:

Stepping through a small program and watching the changes to the stack at each instruction (push, pop, call, ret (return),

mov)

Stepping through a slightly more complicated program (adds lea(load effective address), add, sub)

Understanding the correspondence between C and assembly control transfer mechanisms (for example, goto in C == jmp in

ams)

Understanding conditional control flow and how loops are translated from C to asm (conditional jumps, jge(jump greater

than or equal), jle (jump less than or equal), ja (jump above), cmp (compare), test, etc.)

Boolean logic (and, or, xor, not)

Logical and Arithmetic bit shift instructions and the cases where each would be used (shl (logical shift left), shr (logical

shift right), sal (arithmetic shift left), sar (arithmetic shift right))

Signed and unsigned multiplication and division

Special one instruction loops and how C functions like memset or memcpy can be implemented in one instruction plus setup

(rep stos (repeat store to string), rep mov (repeat mov)

Misc instructions like leave and nop (no operation)

Running examples in the Visual Studio debugger on Windows and the Gnu Debugger (GDB) on Linux

The famous "binary bomb" lab from the Carnegie Mellon University computer architecture class, which requires the student

to do basic reverse engineering to progress through the different phases of the bomb giving the correct input to avoid it

"blowing up." This will be an independent activity.

Course Objectives:


5 | P a g e


• Demonstrate to students with programming experience that assembly is not an arcane art, but rather an API which can be learned

like any other.

• Allow students to gain exposure to a core set of Intel x86 architecture and assembly so as to be able to read and understand short

programs in disassembled form.

• Provide exposure to a hands-on environment for both Windows and Linux.

• Describe the techniques for analyzing binary programs with both disassemblers and debuggers.

Format: Instructor-led seminar with detailed handouts and time for extensive class interaction. This class is a video broadcast.

Synchronized audio, video, and presentation materials will be broadcasted to remote student desktops. Return audio from remote

students will be sent to audio speakers in the room, so that the remote students are integrated with the students in the classroom.

Prerequisites: Must be comfortable with C/C++ code and able to read and understand the source for short programs.

Target Audience: The class will provide a base of understanding for the following staff:

Developers who want to understand the correspondence between high level code and machine code.

Staff who want to better understand the low level hardware mechanisms which support binary program execution and

operating system design.

Staff interested in reverse engineering and malware analysis.

Staff interested in vulnerability research and mitigation.

Staff applying to the Deep System Security & Trusted Computing Learning Path.


Schedule: January 22-23, 2015 - 8:30am - 4:30pm - EST

Instructor: Sam Cornwell ([email protected]) is a Senior Cyber Security Engineer at Fort Meade in Defense Cyber Security

Department J83J. Since 2011, Sam has been working on projects such as Checkmate (a kernel and userspace memory integrity

verification and timing-based attestation tool), Copernicus, (a BIOS extractor and configuration checker), and several other private

security sensors designed to combat sophisticated threats. He has also researched and developed attacks against UEFI SecureBoot.

TPL109: Introduction to ARM (Advanced/Acorn RISC Machine) Architecture & Software Systems

Course Description: Mobile devices based on RISC architectures such as ARM are becoming increasingly ubiquitous inside and

outside sponsor environments. This class will provide an opportunity to examine the ARM processor architecture on which most

mobile phones, and many embedded systems are based.

The class will begin with an intro to the ARM architecture, focusing on the instruction sets (ARM and Thumb instruction sets) and

features like processor modes, interrupts, and pipelining. The class will cover some systems level topics such as how different types

of operating systems like Linux on ARM, and Real-time operating systems are implemented. This will include a lab with the use of

Das U-Boot to boot your own "kernel." Topics will also try to include the basis for userspace-kernel separation on ARM, schedulers,

and virtual memory.

There will be numerous labs, including an ARM port of the CMU Binary Bomb lab, where you perform basic reverse engineering on

a binary. Labs will cover how C code translates to ARM assembly, as well as the changes induced by compiler optimizations. The

class development environment will be the Android development environment; however the code developed will be at the bare-metal


6 | P a g e


level, rather than the application level. This will provide experience with both disassembling and debugging ARM assembly. Labs

will also include how to use Das U-Boot bootloader to run a home-made "kernel" or any bare-metal program.

Course Objectives:

• Learn that assembly is not an arcane art, but rather an API which can be learned like any other.

• Gain exposure to a core set of ARM architecture and assembly so as to be able to read and understand short programs in

disassembled form.

• Navigate in a hands-on embedded environment for Linux which Android is built on.

• Identify the techniques for analyzing binary programs with both disassemblers and debuggers.

Format: Lecture and Lab

Prerequisites:

Ability to read simple C programs.

Students are strongly encouraged to have taken Introduction to Intel x86: Architecture, Assembly, Applications and Alliteration

Target Audience:

Developers wishing to learn about the deep internals of ARM-based phones

Security researchers

Forensic analysts

Incident responders

People interested in reverse engineering and malware analysis for phones


Schedule: February 19-20, 2015 (8:30-4:30)

Instructor: Ganu Kini ([email protected]) graduated from Carnegie Mellon University in 2011 with a Master of Science in

Information Security Technology and Management. While there he had the opportunity to delve further into bare-metal ARM systems,

develop a rudimentary kernel on the Gumstix platform using only the standard C library and look at some properties of a real time OS

and its implications in safety and security critical applications. With a background in electrical engineering and materials science from

Virginia Tech, Ganu has always tinkered with embedded systems since his high school days when he had the chance to participate in

his first U.S. FIRST Robotics competition and has since mentored high school students for the same competition.

TPL465: Intermediate Intel x86: Architecture, Assembly, and Applications

Course Description: Building upon the introductory class (TPL103), this class goes into more depth on topics already learned, and

introduces more advanced topics that dive deeper into how Intel-based systems work.

Topics will include, but are not limited to:

Physical and virtual memory and how a limited amount of physical memory is represented as much more virtual memory

through a multi-level paging system. We will also talk about memory segmentation.

The hardware basis for kernel versus userspace separation and how software transitions between the two. This portion

answers the question of why does x86 have 4 "rings", with ring 0 being the most privileged, and ring 3 being the least.

Hardware and software interrupts, and how they are the basis for debugging.


7 | P a g e


Input/Output instructions and how these allow the CPU to talk to peripherals.

Example applications will include showing how hardware and memory mechanisms are used for software exploits, anti-debug

techniques, rootkit hiding, and direct hardware access for keystroke logging.

We will perform labs on:

Using WinDbg to perform kernel debugging on a virtual machine (which is equally applicable for debugging a real

machine.)

Using a custom WinDbg plugin to examine the Local (memory segment) Descriptor Table (LDT), and Global (memory

segment) Descriptor Table (GDT) in order to understand how Windows sets memory segment ranges and permissions for

userspace and kernel space.

Using WinDbg and the !pte command to understand how Windows organizes its paging structures which map physical

memory to virtual memory.

Investigating where exactly the XD/NX bit is set in order to make memory as non-executable (which Microsoft calls Data

Execution Prevention (DEP)), to prevent some types of exploits from succeeding.

Using the Read Timestamp Counter (RDTSC) instruction to profile code execution time. Also, using a profile of code

execution time to change a program's behavior in the presence of a debugger (e.g., executing different code if the code

appears to have been stopped at a breakpoint.).

Printing information about task state segments, which hold information that is used to find the kernel stack when an

interrupt occurs.

Watching what does and doesn't change when a software interrupt is used to transfer control from userspace to kernel.

Reading the Interrupt Descriptor Table (IDT) and understanding the security implications of changes to it.

Understanding how RedPill uses the IDT in order to detect that a system is virtualized.

Having a process read its own memory when a software breakpoint is set, in order to see how a debugger will change

memory to set the breakpoint but hide the change from the user.

Watch how hardware-based breakpoints manipulate dedicated debug registers.

Using port input/output to access the backdoor communications channel that VMWare uses in order to send copy/paste,

mouse movement, and other events in and out of a VM.

Using port I/O in order to talk directly to the PS2 keyboard controller in order to sniff keystrokes or flash keyboard LEDs.

Course Objectives:

• Understand that assembly is not an arcane art, but rather an API that can be learned like any other.

• Cover more of the most frequently used hardware mechanisms.

• Learn new assembly instructions.

• Apply new skills to interesting examples.


Prerequisites:

Must be comfortable with C/C++ code and able to read and understand short C/C++ programs.

Must be comfortable with C/C++ pointers.

Must have taken the introductory class (TPL103) or demonstrate equivalent knowledge to the instructor.

Target Audience:


8 | P a g e


Developers who want to understand the correspondence between high level code and machine code.





Staff applying to the Deep System Security & Trusted Computing Learning Path.


Schedule: February 9-10, 2015 8:30am - 4:30pm - EST

Instructor: Xeno Kovah graduated from Carnegie Mellon University in 2007 with a Masters of Science in Information Security

Technology and Management. While there he researched worms, bots, and malware. While taking the highly regarded Operating

Systems class, in which students build an OS from scratch, he gained a greater appreciation of how the capabilities provided by

hardware influence the software abstractions built above them. Xeno also studied computer science and electrical engineering at the

University of Minnesota. There he approached assembly both from software down, in CS classes, and from hardware up, in EE

classes. Xeno has experience with 4 other assembly languages beyond x86: PowerPC, ARM, SPARC, and M68HC12.

TPL477: Introduction to Android Forensics and Security Testing

Course Description: This course will cover the most common issues facing mobile devices, and general tips for securing mobile

applications. Upon completion of general mobile security overview, the course will delve into a proven practice in Mobile Device

Forensics and Mobile Application Penetration Testing for Android devices. Over the two-day course, students will get hands-on time

with open-source and commercial forensics tools, setup and explore reverse engineering development environments, and experience

the process with which G020 mobile security engineers have successfully applied to several projects. Areas covered include,

identifying application vulnerabilities, code analysis, memory & file system analysis, and insecure storage of sensitive data.

Course Objectives:

• Identify common issues and general tips for securing mobile applications

• Conduct forensics on Android devices

• Conduct a penetration test on an Android application


Prerequisites: Development experience with Android and Eclipse, Windows command line and Linux/UNIX terminal.

Target Audience: Software Engineers developing Android applications, InfoSec Engineers conducting security assessments or

engineering of Android applications and staff applying to the Mobile System Security Android Learning Path.



Instructor: Jared Ondricek ([email protected]). Jared is a Cyber Security Engineer with The MITRE Corporation who has a

passion for everything related to mobile security. He has experience with reverse engineering applications and malware on several

platforms, doing forensics analysis, and working in both research and incident response environments. Additionally he presented at

DFRWS 2013 on "Detecting Maliciousness Using Periodic Mobile Forensics" from the MITRE Innovation Program. If he isn't

reading up on the latest Android security threats, then he is either developing methods to automate the analysis process of unknown


9 | P a g e


files, finding best practice ways of sharing analysis results and tools with others, or tinkering with the Android operating system

source code. He is pursuing an MS in Computer Science at The George Washington University and he received his BS in Computer

Information Technology from Brigham Young University - Idaho.

TPL482: JSON and JSON Schema

Course Description: JSON is a data format that is increasingly being used for data exchanges due to its compactness. JSON

Schema is a simple, powerful schema language for validating JSON-formatted data. In this course you will learn the JSON data

format and you will learn the JSON Schema language. You will learn how to write JSON documents. You will learn how to create

JSON Schemas and validate JSON documents against JSON Schemas.

Format: Lecture/Lab

Prerequisites: None

Target Audience: All MITRE Staff

Length: Two Days

Schedule: 3-Feb-2015 - 4-Feb-2015 (8:00 - 4:00)

Instructor: Roger Costello ([email protected]) is a lead staff in E54C, Agile and Adaptive Software Engineering. He has worked

extensively in the Internet technologies area. Roger has been actively involved with XML and the entire family of XML technologies

for several years. Roger has created and taught over a dozen different courses on the XML technologies and is regularly invited to talk

at XML conferences. He has traveled to many of the MITRE sites around the world, providing XML training. Roger is regularly

invited to teach XML courses to the Boston chapter of the IEEE.

mailto:[email protected]


10 | P a g e


As well as XML training, Roger consults for numerous MITRE projects that are using XML technologies. He has a Ph.D. in

Computer Science from Ohio State University.

TST414: Introduction to Bayesian Data Analysis

Course Description: Data analysis is the process of making inferences from data. This process is very familiar to MITRE staff, so

that most would claim that they know all about it, or at least enough about it to get their work done.

Inferential methodology, however, has undergone a major revolution over the past twenty years due primarily to advances in

computer hardware and software. The result has been a new, updated Bayesian approach.

This course provides an overview of this new methodology with enough detail to enable you to continue pursuing the subject on your

own. The focus is on developing mathematical models from data.

Contemporary Bayesian methodology is far more powerful and intuitive than traditional alternatives but it is not a black-box

algorithm. There are no canned formulas with this approach and no "quick-and-dirty" answers.

Topics covered will include:

Reasons why inferential methodology is changing

Essentials of the new paradigm

Computational procedures, especially Markov Chain Monte Carlo (MCMC)

Several detailed examples

Comparison of new and old techniques

Suggestions for computer programming

A brief look at available software and other resources

Course Objectives:

• Understand the nature of Bayesian methodology and why it is gradually supplanting traditional approaches to inference

• Have a better appreciation of the range of data analysis problems that are solvable and the effort needed to solve them

• Be aware of the various procedures involved in Bayesian inference and the nature of their output

• Know enough about the relevant mathematics and computer programming to assess the feasibility of doing similar studies on their

own

• Know what further resources are available and where to find them

Format: Lecture

Prerequisites: Experience in data analysis is necessary to provide a context for the new material. Although we shall not actually do

any mathematics, students should have a background that includes basic statistics and calculus, at least to the extent that the concepts

and symbology be familiar. Computer programming experience would be helpful but is not required.

Target Audience: All MITRE Technical Staff

Length: 2 days (14 hours)

Schedule: 2-Dec-2014 - 3-Dec-2014 (8:30 - 4:30)


11 | P a g e


Instructor: Michael P. McLaughlin, a native of Portland, Maine, holds several academic degrees: B.S. in Chemistry, Seattle

University (1966), M.Sc. and Ph.D. in Organic Chemistry, Univ. of Massachusetts (Amherst) (1970, 1977), Ap. Sc. in Computer

Heuristics, Modeling and Numerical Methods, George Washington University (1987).

In 1966-68 and 1971-75, he lived in Ghana, West Africa where he taught high school and college-level chemistry, first as a Peace

Corps volunteer and, later, as a contract teacher.

Before coming to MITRE, in 1980, Dr. McLaughlin was Asst. Professor of Chemistry at Indiana University. He first joined MITRE as

an MTS in the Environment Division and is currently working in CAASD, on GPS/WAAS. Outside of MITRE, he is a Macintosh

software developer, occasional writer and webmaster of two websites.

More details can be found in the Bio section of Dr. McLaughlin's personal webpage:

http://www.geocities.com/~mikemclaughlin/Bio.html

TSV062: Privacy Engineering

Course Description: This class is the first half-day session of a full day on Privacy. This morning class will focus on Privacy

Engineering, while the afternoon class (TSV063) will focus on privacy for health care systems. If you manage projects where

Personally Identifiable Information (PII) is collected and/or used either by MITRE or by sponsors, then you will want to attend the

morning session. If you or your sponsors work with health care systems or data, then you will want to apply to attend both the

morning (TSV062) and afternoon (TSV063) classes.

Mission-critical privacy issues continue to be challenges. One solution is Privacy by Design (PbD), a set of principles which

advocates that privacy be the default mode of operation for organizations and systems. MITRE's Privacy Community of Practice

(CoP) is leading the way with its recently developed Privacy Engineering Framework, which aims to make PbD a usable and

repeatable tool for use both by MITRE and sponsors by taking a systems engineering approach to PbD. This session will discuss the

concept of PbD and the Privacy Engineering Framework and will cover other privacy-related issues and practices in the design and

implementation of information technologies, including what to do to ensure that NIST SP 800-53 Rev 4 Appendix J Privacy Controls

are addressed within sponsor systems. Attending this session will enable you to ensure that appropriate actions are being followed to

embed privacy into technology and processes.

Course Objectives:

• Understand the concept of privacy and the importance of developing privacy into systems from the beginning

• Understand what Privacy by Design (PbD) is and its usefulness for the federal government

• Understand how to use the Privacy Engineering Framework at MITRE and with sponsors to take a systems engineering approach

to privacy

• Understand how privacy can be integrated into the different stages of the systems engineering life cycle

Format: Presentation and classroom interaction.

Prerequisites: None

Target Audience: All MITRE staff and managers, particularly those working with system engineering concepts or programs that

handle PII.

Length: ½ Day

http://www.geocities.com/~mikemclaughlin/Bio.html


12 | P a g e


Schedule: December 4, 2014 - 8:30am - 12:00pm - EST

Instructor: Catherine M. Petrozzino ([email protected]) (J83B), CIPP/US/G/IT is a Senior Information Privacy and Cyber Security

Consultant at the MITRE Corporation. She has 25+ years of experience in information technology - the last 20 of which were focused

on information security and privacy. Ms. Petrozzino is a senior leader for MITRE's privacy community of practice and currently

supports healthcare-related privacy and security research and assists with the identification and management of privacy risk for

MITRE and for external sponsors - particularly in the area of protected health information and other types of personal medical

information. She led/supported the development and design of privacy-enhancing tools that are actively being used by different

sponsor organizations to support their privacy programs and systems development. Her past responsibilities included overseeing

MITRE's DoD privacy work...Prior to MITRE, Ms. Petrozzino was a member of the information security and privacy teams for John

Hancock Financial Services. Her responsibilities included ensuring John Hancock's IT systems were compliant with HIPAA and

Gramm-Leach-Bliley (GLB). She holds a B.A. in Mathematical Sciences from Johns Hopkins University, and an M.S. in Computer

Science from Northeastern University. She has served as one of the lead faculty for the IAPP's Privacy Training Program

Stuart S. Shapiro ([email protected]) (J83B) is a Principal Information Privacy and Security Engineer at MITRE and has supported

a wide range of privacy and security activities involving, among others, critical infrastructure protection, policy frameworks, risk and

control assessment, and incident response. In particular, he has led multiple research and operational efforts in the areas of privacy

engineering, privacy risk management, and privacy-enhancing technologies (PETs). He has written and presented on privacy

engineering (and the related Privacy by Design), privacy risk modeling, and PETs in numerous forums and participates in multiple

privacy-relevant standards efforts. Among his professional affiliations are the International Association of Privacy Professionals

(IAPP), the Advisory Board of the Ponemon Institute¿s Responsible Information Management Council, and the US Public Policy

Council of the Association for Computing Machinery (USACM) where he currently serves as Co-Vice-Chair.

Kris Miller ([email protected]) is a Principal Privacy Strategist within the Enterprise Strategy and Transformation (ES&T) division at

the MITRE Corporation. Kris¿s practice focuses on domestic and international policy development, strategic privacy planning,

enterprise data governance, legal and regulatory compliance, and the development of federal information technology (IT) systems that

incorporate privacy-by-design. Kris has been a trusted advisor to government executives in the Department of Defense (DoD), the

Department of Health and Human Services (HSS), the Veterans Administration (VA), and the Department of Homeland Security

(DHS). Kris's matters span US federal laws - including the Privacy Act of 1974, the e-Government Act of 2002, and the Health

Insurance Portability and Accountability Act of 1996 (HIPAA) - to state privacy laws and international privacy regimes, particularly

in the European Union (EU). In the healthcare space, Kris helped CMS (CCIIO) draft data sharing agreements to facilitate operation

of the Affordable Care Act, led the Prescription Drug Management Program project law and Policy Work Group, co-authored the

book Information Privacy in the Evolving Healthcare Environment, and he currently leads MITRE's privacy and security work for the

Office of the National Coordinator for Health IT (ONC), it's Chief Privacy Officer, and related FACA committee working groups

focused on privacy, security, and transport. Kris is licensed to practice law in both New York and Connecticut, and he is a Certified

Information Privacy Professional with specific qualifications in US Government and EU privacy (CIPP/G and CIPP/E).

TSV064: Introduction to Hardware Hacking

Course Description: Embedded devices are all around us. They’re in our homes, our cars, our workplaces, on our bodies, on our

roads and in our airspace. Embedded devices are literally everywhere. Gartner estimates 26 billion devices by 2020. Traditionally,

these devices have been isolated but current and future trends are to interconnect these devices to form the Internet of Things. This

interconnectedness increases the importance of securing these devices.

Introduction to hardware hacking is a course with the following goals:

1) Introduction to embedded systems

2) Presentation of techniques an attacker may utilize to reveal the inner workings of an embedded system

3) Some discussion of how this knowledge can be leveraged to subvert intended system behavior

The course will include several labs to reinforce concepts.


13 | P a g e


Course Objectives:

• Embedded system basics

• Basic soldering technique

• Board analysis methodology

• Identification of peripherals, data buses, diagnostic ports and tap points

• Device instrumentation

• Bus monitoring and decoding

• Development access via JTAG

Format: Lecture and labs.

Prerequisites: None



Schedule: March 9-10, 2015 (8:30-4:30)

Instructor: Chris Korban ([email protected]) is a Sr. Cyber Security Engineer in Department J83J - Defense Cyber Security.

Bob Heinemann ([email protected]) is a Lead Multi-Discipline Systems Engineer in Department J52B - Cyber Operations.

TSV065: Introduction to Side-Channel Analysis

Course Description: During the last 15 years, it has been widely demonstrated that electronic devices leak information about their

internal state as they perform computations, presenting a major security threat to embedded systems. This information leakage can be

observed through so-called "side-channels" such as system timing, power consumption, electromagnetic radiation, and many others.

The development of side-channel attacks that exploit this information leakage to compromise otherwise secure algorithms continues

to be an active field of research. Are your systems vulnerable to such an attack?

This course is an introduction to the threat of side-channel attacks, how they work in theory and practice, and how to defend against

them. Topics include:

Simple power and electromagnetic analysis (SPA/SEMA)

Differential power and electromagnetic analysis (DPA/DEMA)

Signal Processing

Countermeasures

Side-channel analysis tools and data acquisition hardware

During the course students will complete hands-on exercises to gain a better understanding of how side-channel attacks work, the

difficulty of conducting various attacks, and the effectiveness of various countermeasures. Students will have an opportunity to

collect their own side-channel data on a real embedded target and modify the code running on the target. Students will benefit from

having some prior familiarity with the programming languages Python and C, as most of the analysis tools are written in Python and

the target code is written in C.

This class will serve as a prerequisite for a later class on advanced side-channel analysis.


14 | P a g e


Course Objectives:

• Provide detailed knowledge on the threat of side-channel attacks and how to understand their potential impact on overall system

security.

• Demonstrate how basic side-channel attacks work

• Introduce countermeasures to defend against these basic attacks

• Discuss advanced side-channel attacks and how the side-channel threat is evolving

• Provide insight on the impact of security architectures on end device security requirements

Format: Lecture, demos, and lab exercises.

Prerequisites: None, however, some programming experience with Python and C would be helpful.



Schedule: June 8-9, 2015 (8:30-4:30)

Instructor: Adam Woodbury ([email protected] ) is a Digital/Micro HW Eng, Principle in Department J82E - Electronic Sys

Development. He is actively involved in the development of J82E's Secure Electronic Lab, which has advanced capabilities for

researching implementation security issues such as side-channel leakage, fault induction, and trusted hardware.

Dan has worked in the area of embedded systems since arriving at MITRE in 2006. He is the principle investigator on the IESC MIP,

which is developing tools to help evaluate and protect software against side-channel attacks.

Joseph Chapman ([email protected]) is a Digital/Micro HW Eng, Lead in Department J82E - Electronic Sys Development. He is

actively involved in the development of J82E's Secure Electronic Lab, which has advanced capabilities for researching

implementation security issues such as side-channel leakage, fault induction, and trusted hardware.

Joe has worked at MITRE since 2005 and has worked on a variety of projects concerning signal processing and embedded security.

He is currently working on developing tools to integrate side-channel attack threat evaluation into the FPGA and ASIC design process

to enable automated threat analysis and countermeasure validation.

Daniel Walters ([email protected]) is a Digital/Micro HW Eng, Lead in Department J82E - Electronic Sys Development. He is

actively involved in the development of J82E's Secure Electronic Lab, which has advanced capabilities for researching

implementation security issues such as side-channel leakage, fault induction, and trusted hardware.

Dan has worked in the area of embedded systems since arriving at MITRE in 2006. He is the principle investigator on the IESC MIP,

which is developing tools to help evaluate and protect software against side-channel attacks.

TSV066: Linux/Unix Security

Course Description: This course is a hands-on introduction to Linux/Unix security fundamentals that are critical to cyber security.

Curriculum will start from basic host security, working up to Security-Enhanced Linux (SELinux) and Mandatory Access Control

(MAC) configuration. This course will be designed to fill in knowledge gaps for attendees. Attendees with all levels of technical

backgrounds will benefit from this class.


15 | P a g e


Critical components include audit configuration, data encryption, securely managing system resources, kernel security and managing

privileges. Each component will be examined on both Linux based systems (CentOS) and Unix/BSD based systems (FreeBSD) to

further enhance the learning process by showing different ways to address similar problems.

The class will incorporate hands-on exercises and labs. Students will gain an understanding of host based security configuration

concepts. These concepts will be demonstrated by student labs based on common misconfigurations that students must address by

applying concepts learned throughout the class. The class will culminate when students are asked to secure a system that has been

preconfigured with bugs that have been stacked to form an insecure user environment.

It is expected that attendees will have knowledge in one or more topics covered in the class. This class is meant to fill in gaps and

allow students to build on their previous knowledge to become more technically skilled cyber security professionals. Solid

foundational knowledge will allow students to easily understand more advanced topics. The technical confidence students will gain

in this class will allow them to quickly tackle technical hurdles in their day-to-day work. We need more ¿ninjas¿ in MITRE tech

centers, who are not intimidated by the unknown, and have a broad technical background, enabling them to overcome adversity to

solve critical cyber security problems.

Course Objectives:

• Introduce Linux host based security

• Review security options available to a Linux/Unix host

• Review auditing options available to a Linux/Unix host

• Learn fundamentals of Mandatory Access Control (MAC)

• Learn how to implement privilege separation for users and processes

• Understand security implications of default Linux/Unix configurations

• All attendees will apply all knowledge through lab exercises during the course

Format: Lab

Prerequisites: Minimal networking, system administration, and/or cyber security knowledge.

Target Audience:

Junior tech staff

Senior tech staff that have found themselves working in a lab

Engineers changing disciplines to cyber security

Engineers in other fields supporting cyber work.


Schedule: February 5-6, 2015 (8:30-4:30)

Instructor: Derek Anderson ([email protected]) is a Lead Cyber Security Engineer in Department J83C - Army/Navy Security.

He supports various customers performing vulnerability assessments and prototype development. Previous to MITRE, he worked in a

world-class managed security service SOC as a Security Analyst. Derek holds a BS in Information Technology from Rochester

Institute of Technology and is currently enrolled in a Masters program in Information Assurance at Capitol College.

TSV100: Introduction to Secure Coding


16 | P a g e


Course Description: The purpose of this course is to provide developers at MITRE with focused training related to secure coding.

The hope is that each developer will leave the course with a better understanding of how they can improve, from a security

perspective, the code that they write. This course provides a look at some of the most prevalent security related coding mistakes

made here at MITRE. Each type of issue is explained in depth including how a malicious user may attack the code, and strategies for

avoiding the issues are then reviewed. Knowledge of at least one programming language is required, although the specific

programming language is not important as the concepts that will be discussed are language independent. The course will cover many

of the weaknesses within the context of a web application, but most of the concepts will apply to all application development.

Course Objectives:

• Reinforce the importance of secure coding

• Identify the most common code level weaknesses within MITRE

• Provide an overview of each weakness type including examples within code (weaknesses include cross-site scripting, SQL

injection and bypassing authorization checks)

• Demonstrate how malicious users will exploit these weaknesses

• Discuss techniques to avoid each weakness

• Provide an overview of internal and external resources available to developers

Format: This one-day course is setup as an exploration through a hypothetical web application where a malicious user attempts to

take advantage of certain flaws within the code. Throughout the course, we will be identifying the flaws, discussing them,

understanding the specific attacks, and finally discussing how to improve the code to prevent the attack.

Prerequisites: Participants must have working knowledge and experience writing code and developing applications. A specific

programming language is not required as the concepts that will be discussed are language independent.

Target Audience: This course is open to MITRE technical staff that develop code and wish to increase their understanding of secure

coding. Staff attending this course may be asked to participate in hands on course work and activities.

Length: 1 Day, 7 hours

Schedule: 12-Nov-2014 (Session 0013)

Schedule: 13 April 2015 (Session 0015)

Instructor: Drew Buttner has been at MITRE since 2001 and is one of the leaders of MITRE's software assurance work program in

support of both MITRE internal and its Government sponsors. His experience and technical expertise is in the areas of code

development, standardization, and static code analysis. The past couple of years he has provided support to both the Department of

Defense and NIST in their research of static analysis tools. Currently he is working to establish a secure code review practice for the

MITRE Community.

Larry Shields is a principal InfoSec Engineer with G022, working in MITRE InfoSec. Conducting code reviews for MITRE developed

applications is one of the many tasks on his plate. Prior to coming to MITRE, Larry spent many years running code reviews,

conducting penetration testing, and teaching application security courses for Fidelity Investments. He is a Certified Information

Systems Security Professional (CISSP), and has been a contributor to the Open Web Application Security Project (OWASP).

TSV404: Introduction to Vulnerability Assessment


17 | P a g e


Course Description: The purpose of this course on Vulnerability Assessment is to demonstrate how to identify vulnerabilities in a

computer network, determine how a cyber attacker might exploit these vulnerabilities, and examine how the vulnerabilities might be

mitigated. A methodology is presented in the course for conducting vulnerability assessments for MITRE sponsors. The methodology

lays out an orderly approach for conducting a vulnerability assessment and demonstrates numerous tools and techniques in an

isolated computer laboratory setting to examine such problems through penetration testing.

**The course content may be subject to slight changes.**

Course Objectives:

• Learn a general methodology for conducting assessments

• Scan and mapping network topology

• Identify listening ports/services on hosts

• Fingerprint operating systems remotely

• Learn methodology/best practices for audit of router, switch, and firewalls

• Learn methodology/best practices for audit UNIX and Windows security

• Learn methodology/best practices for web application security assessments

Format: This three-day course has lectures and demonstrations to provide the conceptual approach to vulnerability assessments and

laboratory time to use various tools and techniques to understand the enumeration and identification phases of a security assessment.

Prerequisites: Participants should have a good to excellent understanding of the UNIX and Windows operating systems. They should

have a good understanding of the TCP/IP protocol suite. For example, they should be familiar with TCP, IP, UDP, and ICMP packet

header formats and how these protocols are used. Programming experience in Perl and/or C is desired. They should also have a

general background in computer and/or network security and understand general approaches to policies and procedures for developing

a security plan for an installation or facility or agency.

Target Audience: This course is open to MITRE technical staff who wish to increase their understanding of the vulnerability

assessment process and techniques. Staff completing this course may be asked to contribute to sponsor tasks involving vulnerability

assessments.

Length: 3 days, 21 hours

Schedule: 2-Dec-2014 - 4-Dec-2014 (8:30 - 4:30)

Instructor: Nathan Adams ([email protected]) is Principal Information Security Engineer and the primary focal point for the

Security Testing Community of Practice within MITRE. He has been leading and providing security testing activities including

penetration testing, vulnerability assessments, and security test and evaluations to federal organizations including the DoD,

Intelligence Community, and several federal civil agencies since 2001. He holds an M.S. in Computer Science from Colorado

Technical University and is a Certified Information Systems Security Professional (CISSP).

TSV427: Introduction to Reverse Engineering Software

Course Description: Throughout the history of invention curious minds have sought to understand the inner workings of their

gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their

elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated

and incompatible software, understanding malicious code, or exploiting weaknesses in software.


18 | P a g e


In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it.

Topics include, but are not limited to:

Uses for RE

The tricks and pitfalls of analyzing compiled code

Identifying calling conventions

How to navigate x86 assembly using IDA Pro

Identifying Control Flows

Identifying the Win32 API

Using a debugger to aid RE

Dynamic Analysis tools and techniques for RE

During the course students will complete many hands on exercises.

This class will serve as a prerequisite for a later class on malware analysis.

Course Objectives:

• Provide detailed knowledge on RE methodology and tools

• Demonstrate how to navigate x86 assembly code while avoiding tangents

• Prepare students for follow on courses in Malware and Vulnerability Analysis

Format: Lecture/lab

Prerequisites:

An introductory course on x86 assembly such as TPL103. TPL465 Intermediate x86 is also recommended.

Must be comfortable with the C programming language.

An understanding of the Microsoft Portable Executable & Common Object File Format (PE-COFF), such as is conveyed in

the TSV424 Life of Binaries class.

Experience with Python a plus.

Target Audience:

Developers who want to understand the correspondence between high-level code and machine code.





Length: Two days (14 hours)

Bedford Schedule: 23-Feb-2015 - 24-Feb-2015 (8:30 - 4:30)

For more information: Contact Bo Kaufmann at 781.271.3112.


19 | P a g e


Instructor: Frank Posluszny has been supporting computer network defense teams focused on targeted (APT/ACT) attacks since

2008. His current role supports security engineering, performs malware analysis, and reverse engineers malware command and control

(C2) protocols. He has contributed to open source projects, including the Zero Wine Tryouts malware analysis suite. He has a BS and

an MS in Computer Science from Worcester Polytechnic Institute, where he focused on networking and systems security.

TSV432: Introduction to Trusted Computing and the Use of Trusted Platform Modules

Course Description: This course is an introduction to the fundamental technologies behind Trusted Computing. You will learn

what Trusted Platform Modules (TPMs) are and what capabilities they can provide both at an in-depth technical level and in an

enterprise context. You will also learn about how other technologies such as the Dynamic Root of Trust for Measurement (DRTM)

and virtualization can both take advantage of TPMs and be used to enhance the TPM's capabilities. We will cover major use cases for

trusted computing, including machine authentication, data protection, and attestation. This course will also introduce you to the

various software resources that exist today to support TPMs, give a high-level overview of related research and development

projects, and briefly discuss other trusted computing standards such as Trusted Network Connect which may be relevant to enterprise

deployment of TPMs and trusted computing.

Course Objectives:

• Introduce students to both basic and advanced TPM capabilities, as well as other trusted computing standards and technologies

• Show how TPMs and related technologies can be used in enterprise environments and for cutting-edge research

• Give students the necessary tools and information to design and build systems that take advantage of trusted computing

Format: This class is presentations, discussions, and demonstrations.

Prerequisites: Familiarity with the basic principles of cryptography and security will help as will hearing about hashes, public and

private keys, discussion of integrity or authenticity, and so forth.

Target Audience: Engineers and system designers who may need to use TPMs or trusted computing in upcoming projects. People

who have heard about TPMs and Trusted Computing but don't really know whether it's useful to them or what it's good for. Enterprise

system designers who are concerned about out-of-date software, stolen certificates, or unauthorized machines and are looking for

possible solutions. Staff applying to the Deep System Security & Trusted Computing Learning Path.


Schedule: March 26-27, 2015 - 8:30am - 4:30pm - EST

Instructor: Xeno Kovah graduated from Carnegie Mellon University in 2007 with a Masters of Science in Information Security

Technology and Management. While there he researched worms, bots, and malware. While taking the highly regarded Operating

Systems class, in which students build an OS from scratch, he gained a greater appreciation of how the capabilities provided by

hardware influence the software abstractions built above them. Xeno also studied computer science and electrical engineering at the

University of Minnesota. There he approached assembly both from software down, in CS classes, and from hardware up, in EE

classes. Xeno has experience with 4 other assembly languages beyond x86: PowerPC, ARM, SPARC, and M68HC12.

TSV436: Secure Code Review

Course Description: This course is designed to help developers bring a secure coding mindset into typical project peer reviews.

The course briefly talks about the development lifecycle and the importance of peer reviews in delivering a quality product. How to


20 | P a g e


perform this review is discussed and how to keep secure coding a priority during the review is stressed. A variety of hands-on

exercises will address common coding mistakes, what to focus on during a review, and how to manage limited time.

Throughout the course, the class will break out into pairs and perform example peer reviews on sample code. Perl will be used for the

hands-on exercises; however every attempt will be made to generalize the code such that anyone with an understanding of a coding

language will be comfortable.

Course Objectives:

• Describe how peer reviews fit into the software development process

• Start a peer review and gain the necessary background about the code

• Identifty techniques for making sense of a large amount of code

• Review common secure coding mistakes

• Create report findings that go back to the developer

Format: Lecture plus team exercises

Prerequisites: TSV100 Introduction to Secure Coding

Target Audience: Developers

Length: One day (7 hours)

Schedule: 29-Jan-2015 (Session 0005)

Schedule: 7-May-2015 (Session 0006)

Instructor: Drew Buttner has been at MITRE since 2001 and is one of the leaders of MITRE's software assurance work program in

support of both MITRE internal and its Government sponsors. His experience and technical expertise is in the areas of code

development, standardization, and static code analysis. The past couple of years he has provided support to both the Department of

Defense and NIST in their research of static analysis tools. Currently he is working to establish a secure code review practice for the

MITRE Community.

fall 2014 course schedule - mitre corporation · course description: mobile devices based on risc...

Documents