Mini-classes: VULNDEV 102

July 1st, 2021 – Alisa Esage

This series of mini-classes is specialized on essential and universal topics of vulnerability research, useful for both beginners and advanced researchers regardless of the target. We'll skip the "101" trivial basics and jump straight to emerging models, tactics and tools that can make a huge difference in your bughunting progress. In addition, we will play with certain classical and proven techniques that usually become available with many years of experience in reverse engineering and vulnerability research.

All our mini-classes are practical. Interleaved with solid theoretical studies to get a strong grasp of the topic, we dig into the code, build things, and play with tools, as much as time allows.

Each mini-class is essentially a "howto" on one specific topic, taught from the perspective of a highly experienced hacker, pwner and reverse engineer. Coming out of the class you are expected to easily apply the acquired skill in your specialized workflow with a lot of fun and profit.

This page will be updated as new topics and detailed descriptions are added.

Mini-class: Hacking open source fuzzers for smarter bughunting

On-demand: recording available Level: beginners to advanced

Featuring afl, WinAFL, libfuzzer, and everything else that you know and love, but was afraid to apply to something that they can't support out of the box. We'll take a look at the code, how other researchers extend public fuzzers for custom purposes and non-trivial fuzzing, and set up basic practical skills for that.

Topics: * Anatomy of a fuzzer. * Motivation. When an "off the shelf" fuzzer is not enough? * Anti-motivation. When your favorite fuzzer is a bad take for your goal? * Basic theory of modern evolutionary fuzzing with code coverage guidance. * Architecture and implementation of the most successful modern fuzzers. * Hacking on public fuzzers: case studies. Architecture and implementations of successful fuzzer mods. * Theory and practice of code coverage. * Common fuzzing instrumentation explained, and how to modify it for your research purposes. * Common mutation algorithms and open questions in research. * Review of successful academic and community research projects based on modified open source fuzzers.

You will learn: * How to choose the right fuzzer for your goals. * When do you modify a fuzzer, what exactly and how to do it effectively. * How to mod successful public fuzzers to find bugs that they failed at. * How to instrument arbitrary complex targets for fuzzing with public tools. * Understanding and controlling low-level code coverage instrumentation and probes. * How to write a fuzzing harness for something which is not supported by your fuzzer out of the box.

Pre-requisites: * C-code * (optional) x86 assembly * Linux VM

Booking & availability >>

Mini-class: Fun and games with CodeQL

Livestream date: to be announced. Level: beginners to advanced

CodeQL is a shiny new tool to assist you with static analysis for bug hunting. Known as Semmle QL previously (Semmle was acquired by Github/Microsoft), CodeQL quickly became popular due to the power and versatility of its custom programming language that lets you query arbitrary code bases for generically defined bug patterns, and has been successfully used by many professional software security teams to find new bugs. Think grep with code semantics awareness.

While CodeQL is typically applied to the problem of bug variant analysis, nothing prevents a smart bughunter to use some creativity and build queries for totally new bug classes. Mozilla runs a dedicated CodeQL security bounty. This mini-class is designed to get you started with CodeQL in no time, with the big picture in mind.

Booking & availability >>

Mini-class: Symbolizing the unsymbolizable

Livestream date: August 14th, 2021 (Saturday), 13:00-17:00 UTC. Level: beginners to advanced

Symbolic information for binaries, or "debug symbols", typically consist of procedure names as defined in the source code, occasionally with some extra details such as global variable names, structure definitions, and function arguments. While debug symbols are more or less trivially available for open source projects, majority of proprietary software vendors do not expose it. Systems such as embedded firmware, proprietary hypervisors, basebands, and majority of "normal" proprietary software are thus presented to the reverse engineer as a huge mess of many megabytes of assembly code, hard to make sense of.

In addition, a general trend nowadays is that propriatary software vendors increasingly revoke and manage access to debug symbols to complicate reverse engineering, as it was observed for example with iOS kernel a couple years ago, Microsoft Hyper-V hypervisor, and VMware Workstation for Linux binaries.

In advanced reverse engineering several smart approaches may be used to solve this problem, and apply or create (at least semi-automatically, not by manual naming) some meaningful names to a reverse-engineered code base. In this mini-class we'll walk through these techniques, and apply it to some real life big software RE.

Booking & availability >>

Mini-class: Exploring hardware assisted fuzzing

Livestream date: to be announced. Level: beginners to advanced

We'll take a look at IntelPT: how it is defined in the specifications, how it works in practice, how do you use it outside of public fuzzer integrations, existing software drivers ecosystem for various OS's and fuzzing targets, successful use cases, known research publications, and open research areas that hold the most opportunities. Learn practical skills to apply it trivially, and see what is needed for non-trivial applications.

Booking & availability

Each mini-class would be typically live-streamed once, afterwards it's available on-demand in recording. If you purchase an on-demand mini-class, you can ask the instructor questions by email.

How to book a live mini-class or purchase an on-demand recording: click on the Paypal button on the training page. We will contact you in 1-2 business days to confirm your chosen topic.

New topic suggestions are welcome.

Categories: Products, Training, Vulnerability Research

Previous Post Next Post