Vulnerability of the Day is a pedagogically-curated collection of vulnerability demonstrations for undergraduate software engineering students. The goal is to teach students how to avoid simple coding mistakes by providing concise code examples. Key characteristics are:
- 10 minutes long or less
- Can be understood by a third-year college student in a software engineering course
- Socially-relevant examples
- Can be run on a Linux console, using make
- Simple, concise, but also not contrived.
- Real-world CVEs (with source code patches linked) are a big plus
- All source code must be "projector-friendly", meaning that the vast majority of the demo code should be readable at:
- 90 characters wide
- 48 lines long
- Having the entire program be under 48 lines is not hard rule (e.g. import statements are not super important), but the instructor should be able to show the main body, including comments, on a 4:3 projector screen with 18 point Lucida Console font in Vim with line numbers set.
Each VotD must have a Makefile that can run on Linux, with the following targets make
, make exploit
, and make compile
. The default is make exploit
. Here's a skeleton Makefile
:
# Sample Makefile for VotD
exploit: compile
java BankAccount
java GetPatient
compile:
javac *.java
The one exception are web-based vulnerabilities (e.g. XSS), which require different building guidelines (TBD)
a-votd/
demos/ - code examples for each vulnerabilitiy
a-votd.html - webpage descriptions of each vulnerability. See www-template/README.markdown for more details
notes.markdown - notes for instructors in each vulnerability
compatibility.markdown - compatibility concerns for the vulnerability
build_votds
is a Python 2.7 build script that will automatically put together documentation and optionally zip up the examples of a selection of VotDs for distribution.
You can build the documentation for a individual VotD with this command:
build_votds www <source> <dest> VotDs...
- is the directory where the script should output the documentation index.html
For example:
build_votds www . . integer-overflow buffer-overflow
The script will
- look in the current directory for 'integer-overflow' and 'buffer-overflow'
- Generate a combined documentation page for those two vulnerabiltiies
- Output the documentation to index.html in the current directory.
You can use the 'add' parameter to build_votds
to append documentation for additional VotDs to an existing index.html. Simply run:
build_votds add <source> <dest> VotDs...
- is the directory where the script should look for the existing documentation index.html
Note that if an index.html does not exist at the target location, the script will create one for you as if you ran build_votds
with the 'new' parameter.
You can use the 'zip' parameter to build_votds
to create a distributable zip archive containing examples and
documentation for chosen VotDs.
build_votds zip <source> <dest> VotDs...
- is the directory where the script should output
votds.zip
, containing the chosen examples.
The script will build a documentation file for the selected vulnerabilities if one doesn't already exist, and then zip up the examples and instructors' notes along with them.
If you would like to add a new vulnerability, you can use build_votds
to create the directory skeleton and documentation template for you. To do so, call build_votds
with the 'new' parameter and the name of the new exploit.
build_votds new <source> <dest> <vulnerability-name>
- is the directory where the script should output the new VotD's directory