Bug Hunting and Analysis 0x65
This 3 day course is structured to impart upon the students the skills necessary to effectively utilize debuggers, disassemblers, and other tools to discover vulnerabilities in binary code. The curriculum will begin by introducing students to the tools and generic techniques that will enable them to actively participate in reversing applications during the rest of the course.
After gaining a basic understanding of the tools involved, the instructors will spend day 2 walking students through case studies from patched vulnerabilities. That is, we will be choosing specific vulnerabilities and walking the students through the methodology used to verify them (debugging) and how the discoverer likely found them (fuzzing, static reverse engineering, dynamic instrumentation, etc). As each flaw is dissected, we will focus on how the student's arsenal of techniques can be extended to more easily debug applications and eventually discover similar bugs going forward.
On day 3 we will begin focusing on automating our tools to build a checklist that we can use to more efficiently reverse engineer a binary code base. We will walk through a complete audit of a default installation (latest version) of a popular enterprise server application culminating in the discovery of a remote pre-authentication 0day vulnerability. Students will be required to sign a minimal NDA in order to participate in this portion of the training.
Instructor: Aaron Portnoy and Zef Cekaj
Dates: 5-7 July 2010
Availability: 18 Seats
Dates: 11-13 July 2010
Availability: 18 Seats
Price 2600$ CAD before May 15, 3200$ CAD after.
Prospective students should have basic x86 assembly fluency. Previous debugging experience is also required; Our debugger of choice for this class will be WinDBG. Some familiarity with python is a plus but not required. Our target platform will be Windows 2003, the student should be comfortable operating in this environment. There are no host OS requirements besides supporting the prerequisite software identified below. Student should have all prerequisite software installed/licensed as necessary/configured in their host operating environment prior to Day 1.
VMware Workstation (Trial is acceptable: http://www.vmware.com/products/workstation/)
IDA Pro (Freeware is acceptable and available here: http://www.hex-rays.com/idapro/idadownfreeware.htm)
WinDbg (if you're coming from another debugger: http://windbg.info/doc/1-common-cmds.html is a great resource)
Python 2.5/2.6 (http://www.python.org)
Aaron Portnoy is the Manager of the Security Research Team at TippingPoint Technologies. His group is responsible for reverse engineering vulnerability submissions to the Zero Day Initiative program, discovering new 0day vulnerabilities in enterprise software, developing tools to aid in these processes, and architecting competitions such as Pwn2Own.
Aaron has discovered critical exploitable vulnerabilities affecting a wide range of vendors including, but not limited to: Microsoft, Adobe, RSA, Novell, Symantec, HP, IBM, SAP, and VMware. He has presented original research in the areas of reverse engineering and vulnerability discovery at conferences such as BlackHat, CanSecWest, BlueHat, RSA, and RECon. Additionally, Aaron has been an invited speaker at the National Security Agency, has been referenced in several published books, and guest lectures on reverse engineering at the Polytechnic Institute of NYU each fall.
Zef Cekaj is a security researcher specializing in vulnerability reversing and discovery. He has reversed and documented hundreds of vulnerabilities and has a history of vehemently arguing with vendors over email regarding exploitability of bugs in their products. Consequently, he enjoys winning such arguments by demonstrating exploits on live systems.
His primary interests are in the exploitation of server side vulnerabilities and mitigation circumvention. He is currently researching identified vulnerabilities in popular sandboxing implementations so that he may contribute to The Movement to Liberate Shellcodes (freetheshellcodes.net), of which he is a founder.
To register for a training session, download and fill this file and mail it to registration.training2011 recon cx