This is a collection of my projects and short presentations. I have lost quite a few of my projects, but those that I managed to get together are below. I try to keep this page up to date, but sometimes I forget . Many of them are personal projects, so the code might not be totally clean. Feel free to use any of the code (please credit if you do) for personal use. Contact me if you have any questions/comments.

Bitslice implementation of MICKEY 2.0. In progress – see google code page

Writing linux kernel code is fun, but can also be a bit painful due to the limited documentation (mainly the code itself ). In building a trust agent for my work at Rutgers some of the things I had to write include HMAC of packets and SHA1 of the current process opening the device for attestation. Regardless, the code which creates an HMAC(SHA1) for arbitrary strings can be found here – note that if you are MAC'ing large data, modifying the code to use multiple scatterlists will end up being faster (rather than using crypto_ahash_update on one). The code which takes a struct file pointer and computes the SHA1 (think sha1sum) can be found here – if you wish to compute the hash of the current process you need the struct file which you can get with get_mm_exe_file(current→mm) – checkout fs/proc/base.c.

This is a short step-by-step tutorial which I slapped together for a number of students who were trying to integrate a custom core with the PowerPC on the Virtex-II PRO FPGA (hosted on the XUPV2P board. There are a few decent tutorials available on the net, but most demonstrate the integration of very simple cores with Microblaze; this tutorial is also very simple and informal, but the custom core contains a multiplier generated withCORE Generator and the integration is with the PowerPC core. Here is the pdf. Have fun!

This is a Perl module (available at CPAN) which is a very simple implementation of the Maildir protocol as specified by DJB. There are numerous implementations out there, but many require the use of bulky packages handling mail messages – this simplifies it so that you can just write to a file whatever you want (raw access). The code and detailed documentation is available on CPAN here.

As part of the Cyber Security Week at Polytechnic Institute of NYU I led a small team as the main programmer working on the embedded systems challenge, where we were to write a trojan for a crypto-communications device which would either 1. make the device inoperable (DoS), 2. leak sensitive information or 3. behave unexpectedly while still passing the validation tests. We wrote two DoS attacks (one would disable the clock on the FPGA and the other would invalidate anything typed on the keyboard), a trojan that leaked the master key (even during the validation process) and another which would null-out the transmitted ciphertext while still showing the typed characters on the vga.

Abstract: While most current cryptographic efforts focus on designing ciphers resistant to mathematical attack by a third party with access to the ciphertext, the physical security of encryption and decryption devices remain important. We examine a prototypical encryption system based around AES-128 as implemented on a Xilinx Spartan FPGA, and design three attacks to perform sidechannel information leakage and denial-of-service (DOS). As any well-designed encryption system should be carefully checked to ensure its software has not been compromised prior to usage, we implement our attacks to be nearly indistinguishable from the reference design, consuming nearly the same amount of power and utilizing roughly the same percentage of the FPGA’s resources.

Links: short paper describing the trojans and their implementation, video demonstration of the trojans in action, and Xilinx ISE files.

Unlike most common *nix keylogger, this key logger is not based on intercepting a tty, polling IO ports, or hijacking of the keyboard interrupt handler. It is a user space X11 keylogger using the XTrap extension to intercept key press/release event. The keylogger is a “preprocessor” for an authentication (based on keystroke dynamics) and you may find more info on my DIMACS REU page: x_keylogger. Version 0.2 of this also implements mouse clicks and movements – you may download the tar file with instructions on how to use/install and parse the output here.

The code for a very simple feature extractor that parses the output of xtrapdei can be browsed here. or downloaded here. The current version (0.1) extracts total duration, Press(i+1)-Press(i), Release(i+1)-Release(i), Press(i+1)-Release(i), and Release(i)-Press(i) for any string in a given database, thus the output of this can be fed to a classifier which can authenticate your typing pattern . An example output for the strings 'DIMACS', 'rutgers', and 'cooper' is :

DIMACS: 624, 128, 160, 152, 88, 144, 104, 96, 80, 56, 112, 176, 128, 72, -8, 168, 136, -32, -80, -96, 24, 32
rutgers: 904, 120, 152, 80, 88, 152, 112, 128, 104, 112, 184, 120, 88, 168, 136, 40, 192, 184, 48, 184, -16, -40, 104, 32, -64, 56
cooper: 624, 136, 56, 176, 152, 152, 168, 120, 128, 88, 64, 56, 40, 248, 64, 64, 72, -16, 72, -88, -88, -96

I updated the code to address a number of the issues in 0.1. Although 0.1 might be easier for some to play with 0.2 is much nicer, here is the help:

./keyextract.pl [--option=<value>] -Feature Extractor taking input from XTrapDei
--------------------------------------------------------------------------------
option          value                   Description
--------------------------------------------------------------------------------
tee|t           filename                Print to stdout and file filename
file|f          filename                Print only to file filename
debug           level                   Set the debug level (0 for no debugging)
buff|b          size                    Set the max buffer size
db|d            filename                Path to the database of words
kl              filename                Keylogger filenam or stdin
iobuf|i                                 Buffered I/O (default off)
help|h|?                                This message
--------------------------------------------------------------------------------

The output is also quite easier to parse:

@word=deianstefan|window=xterm:XTerm|PP=88,64,200,80,88,112,80,120,96,72|PR=-40,-96,64,-16,-40,40,-48,-24,-64,-72|RR=120,40,160,112,32,168,96,136,80,80|duration=128,160,136,96,128,72,128,144,160,144,152|total=1152
@word=DIMACS|window=xterm:XTerm|PP=112,104,72,176,160|PR=-24,-112,-80,64,48|RR=192,40,32,176,176|duration=136,216,152,112,112,128|total=752
@word=danfeng|window=xterm:XTerm|PP=96,176,136,104,104,120|PR=-80,16,-16,-24,-24,-32|RR=80,168,112,104,128,112|duration=176,160,152,128,128,152,144|total=880
@word=cooper|window=xterm:XTerm|PP=136,176,56,80,120|PR=-24,104,-96,-96,-104|RR=48,256,80,128,104|duration=160,72,152,176,224,208|total=776
@word=rutgers|window=xterm:XTerm|PP=96,144,240,144,88,208|PR=-24,-16,120,32,-64,72|RR=136,104,232,184,72,184|duration=120,160,120,112,152,136,112|total=1032
@word=https://mail.google.com|window=xterm:XTerm|PP=80,160,112,152,760,200,184,200,144,48,80,192,128,168,128,136,96,112,72,120,112,80|PR=-40,88,-8,8,648,112,104,104,40,-96,-72,88,8,56,88,40,-24,24,-72,24,-40,-88|RR=32,208,136,120,736,192,200,208,184,56,32,208,120,96,184,160,64,168,24,176,128,56|duration=120,72,120,144,112,88,80,96,104,144,152,104,120,112,40,96,120,88,144,96,152,168,144|total=3608

Brows the code here. or downloaded here.

xtrapbot is a utility that injects key events given a word using a Guassian distributed or Uniform distributed durations and inter-key timings; its current use is mainly for simulation purposes, but it can potentially be used for other things. Browsable code can be found here or you can download a tarball here.

Abstract: In this short paper the Off-the-Record (OTR) communication protocol is discussed. The communication protocol allows for parties to share an encrypted channel with perfect forward secrecy and repudiability – providing confidentiality between the com- municating parties and in this implementation: plausible deniability to third parties. Methods for authentication, ciphertext integrity and malleable encryption are also dis- cussed. The implementation allows the A slightly modified version of the protocol was implemented for a simple chat program in Perl using sockets. The code can be easily modified to use the protocol for other applications such as data transfer and multiple clients chat.

Links: very short paper describing the project, video demonstration, and of course code.

Yet Another Simulated Threads Library is a project I worked on with Michael Yagliyan and Nathan Lewis. The projects simulates a multi-processing environment, allowing for multiple threads to run independently. We implemented the API to be similar to pthreads, however the (assigned) scheduler is coarse grained (so a thread runs until it finishes or block on something it depends on). We also provide the threads with message passing IPC (beyond conditional variables and mutexes) and implemented a parallelized 200×200 matrix multiply and merge-sort. All the code can be found here.

Sugar Free C Compiler (SFCC) is a C compiler I worked on as part of my Compiler Theory course. The compiler does the front end (lexer/parser & semantics analysis) matter almost fully according to the C ISO (some C99 stuff was ignored , eg. variable length arrays and designated initializers). Everything is done in steps (basically as a book would present compilers: lex/parse→AST gen (and semantic analysis)→quads and basic block creation→IR gen→code gen) making it “educationally-readable” (GCC is amazing, but hard to read). The compiler does generate IR, however some analysis wasn't finished (a semester isn't enough time to fully finish a compiler for a language like C – well at least while taking other classes also ) so therefore not all C code will end up as IR (at least correctly– e.g. a&&b&&c in if statements don't work – whereas a&&b would work fine). Here are three links to simple examples translating C code to IR: example 1, example 2,example 3.

If you wish to look at the SFCC code, download it here and have fun!

Bored on the L train, I decided to write a game to pass the time:

It is again written in Lua with a few levels. Each level is a simple matrix of the different colored blocks(in ascii) and therefore creating different custom levels is extremely easy. Download the game and code from here. Enjoy!

This was my first Lua project and first game I wrote for the PSP; it is the classic game pong:

If you dont already have a pong game, then feel free to download the code and play it using LuaPlayer.

The idea of this program is to implement the Diffie-Hellman key exchange and encrypt a conversation (using Blowish) between Alice and Bob over an insecure channel. The advantage of using the Net::OSCAR module rather than writing a basic tcp/ip messenger is that the exchange is guaranteed to be between A and B, since they authenticate themselves through AIM.

Since this is just a proof of concept (and was written in less than 30min) the implementation limits the implementation of securing a channel between A and B and not also A and C. But to do so would not require much more effort. The Perl code can be found here.

Simple shell code written in att style ia32 needed to be hidden in a configuration file vuln.conf and executed using a vulnerable C++ program (taking advantage of vpointer redirection). Although this was used for a specific program it is generic enough to be used as shellcode in many other exploitable programs. The shellcode truncates the file vuln.conf from ./, basically just opening the file with O_TRUNC then forks, creates a socket, binds to tcp port 1337 and redirects (dup2) file descriptors 0,1, and 2 (stdin,stdout,stderr) and then execve's /bin/sh. The child then kills the parent (rather than the parent exiting on its own). When assembled (with as) the code will not have any null bytes and can therefore be used in string format (strcat,strcpy,printf,etc.) vulnerabilities. For general purposes the opening and truncation of vuln.conf is not needed and can be taken out. Download the code here here. For more generic shellcode and different architectures see the great Metasploit Project!

The Quine Mc Cluskey Simplifier (qmcs) is a tool used to simplify a boolean function. With the input of decimal data the program calculates the prime implicants, which are then used to calculate the essential prime implicants.This tool is primarily for students, however anybody may find it useful when working with simple digital logic. You may find the project files on the SourceForge page.

aspoof is a program that modifies the Apple Airport Extreme binary to spoof the MAC address of the wireless card. Current version works only with the post Tiger systems. Along with aspoof, when installing the files, a script - aaspoof (auto)aspoof - is generated to make the MAC spoofing more automatic and user friendly. I'm not much of a UI guy, so I used the Perl framework, Camel-Bones, to write xaaspoof, the GUI:

SF.net page. Enjoy!

The project is a LGP30 emulator, emulating instructions B,Y,R,I,D,N,M,P,E,U,T,H,C,A, and S however it is using 32 bits unlike the original LGP30 which had 31 bits.This was a group project with Mohammed Billoo who wrote the LGP30 code. The emulator was written by me, in ARC - an educational assembly language that is close to SPARC. The LGP30 emulator code can be found here. To run the ARC code download ARCTools from Murdocca's website.

This homework was a simplified process management and scheduling system implemented in user-space. Dynamic priority scheduling is implemented using priority heaps for the run-queue. The idea of active/expired queues used by the Linux 2.6 kernel was implemented. The program implements i/o events by using signals SIGUSR1, SIGUSR2 and ps-like process information using SIGABRT. A periodic timer is used, SIGVTALRM to switch processes in/out. Original idea was to implement this by messing with a longjmp buffer, however this caused a problem on my Gentoo system and ucontex was used instead. Although not intended to be used as an implementation of threads the code can be modified to be used for the task (but it would be wiser to use pthreads).
The code: sched.h, sched.c, heap.h, heap.c, schedtest.c, schedtest1.c

SMSdoor is a small project Christopher Mitchell and I worked on. It's a door controlled by a cellphone, AIM client, or web page. The code is based on the snazzy Perl code I wrote (on this page) and some simple C code interfacing the parallel port on a linux box. Since we're both EE's we chose to use an actuator (rather than something more mechanically complicated) and also built an emergency manual key override. Here is a video (created by Chris) demonstrating it working:

Here is the code! Unfortunately we lost the circuit diagrams and the high-res pictures. If we manage to recover them (form the crashed server) I'll update this.

This was a short paper on the introduction to Fourier series as part of a lecture I gave in a differential equations course. The paper introduces the topic with proofs and examples. You may view the paper here. It is licensed under a Creative Commons license (as specified in the paper) so feel free to modify it!

This very short article on eavesdropping was a result of a demonstration I gave in my computer security course. The purpose was to show that switched networks do not solve packet sniffing issues and attacks can very easily be conducted (even on an iBook).
The article is not very formal, but it includes screenshots, code and a video! Here is a link.

During the summer of 2006 I attended Stevens Institute of Technology as an REU student under Prof. Hong Man, studying math, signal processing, and digital image processing.

A summary of the work, as presented to NSF, is found in the appendix of the paper. The paper presents a `sticks filtering’ technique to enhance edges in ultrasound images. Using the enhanced edges, different techniques are used to develop an algorithm which automatically detects the body of a prostate in the ultrasound image. See my publications for the final version of the paper.

This was my first OpenGL project, a simulation of a dropping ball according to a simple decaying function. Rather than using more realistic physics (with at least Newton's laws) or using a more complicated math function (e^jwt or a sinc) I used a simple function partially because I wasn't even a college freshman yet (very limited math before Cooper). It was compiled on OS X, using GLUT and it should work on Linux and other *nix machines. The simulation supports a rotation of the view, which is pretty interesting since OpenGL doesn't allow rotating the `camera'. You can download the code from here.

Accepting a hostname as either a text host name (e.g. google.com) or decimal IP (e.g. 127.0.0.1), only attempting DNS resolution if it is a text host name tcp_send opens a TCP connection to the hostname and specified port. Then reads from stdin until EOF and relays the bytes to remote socket. Listening on the specified TCP port (if can bind) tcp_recv accepts one connection and copies all data to stdout. Both tcp_send and tcp_recv report the transfer rate.
The code: tcp_send.c, tcp_recv.c, util.h, util.c

Given a hostname as in tcp_send (above), port, and 512 byte message - as an argument or input im_send send the message using UDP. Similarly im_recv binds to a specified port and in an endless loop receives UDP messages on the port and prints them to stdout along with the decimal IP address, text hostname, and port of remote host.
The code: im_send.c, im_recv.c, util.h, util.c

pkat takes names of files and pipes them to a pager program (in this case less, but more can be used with no problem). If the user hits 'q' in the pager program the next file is read - this is done by handling SIGPIPE. Given a filename of '-' or no filename the program reads from stdin. See code.

Setting the tty in non-canonical mode, this program demonstrates canonical mode input processing by emulating read(2). This was a small fun homework. You can look at the code here.

sfsh is a very (dumb) simplified shell. Like a normal shell, it forks and executes a process, reporting real,user and system time. The shell also allows for io redirection, but no piping:

deian 1.618-$  command [command arguments] < file1 >> file2 2> file3

See the code.