Program Analysis Training

This is four-day course trains students to do sophisticated program analysis using Binary Ninja and the Binary Ninja Python API. Students will learn Binary Ninja inside and out by extending its analysis capabilities to support a custom architecture which is difficult to analyze manually. Students will also leverage the Binary Ninja plugin architecture to identify vulnerabilities in a machine architecture independent way. After taking this course students will have experience working with the least intuitive and even some undocumented parts of Binary Ninja to create powerful program analysis tools.

Teaching

Drawing from experiences in the competitive CTF space and professional reverse engineering environments, Sophia and Evan teach program analysis with hands-on exercises with immediate feedback. Problems are designed to be realistic with objective solutions but allow for subjective approaches. This lets the work feel more like a creative exercise than a gym routine. Class exercises are composable, meaning lessons learned are leveraged later in the course. Exercises are realistic and tied to real world scenarios. Nobody will be left wondering why an exercise is being done or merely copying code out of a book.

Learning Objectives

• Have a thorough grasp on the binary ninja python API
• Familiarity with many program analysis concepts and common challenges
• The ability to write sophisticated program analysis plugins unassisted

Class Outline

Day 1

• API and GUI review
• Implement a new Binary Ninja “BinaryView”
• Begin implementing a new Binary Ninja “Architecture” plugin for a Turing complete interpreted language

Day 2: Classic Exploitation and Shellcoding

• In depth Binary Ninja Low Level Intermediate Language (LLIL) review
• Finish implementing Architecture plugin and implement lifting to Binary Ninja LLIL
• Use new Architecture plugin to reverse engineer programs
• Start to write a generic plugin with binary ninja PluginCommand to better reverse engineer language specific artifacts
• SSA Form and its benefits
• The binary ninja memory and address concept
• The Mapped MLIL SSA Form

Day 3: Modern Mitigations and Techniques

• Finish writing language artifact analysis plugin
• Intro to writing “PluginCommand” plugins to identify insecure software design patterns
• Control flow analysis vs. Data flow analysis
• Resolving function calls to assist in cross function analysis and concretizing paths in a program
• Jump Table resolution example
• Type propagation inside of a function context and cross function
• Automatically recovering structures inside of a function context
• Abstract Interpretation of type information
• Data flow analysis and tracing the lifetime of a variable or object
• Path constraint solving using SAT solvers to determine reachability and to solve for input variables

Day 4: Putting It All Together

• Vulnerability discovery with binary ninja
• Identifying “sources” and “sinks” in a program. Using taint analysis track where controlled input can reach program sinks and constraint solving to determine the boundaries of a vulnerability
• Discuss bug classes, what makes certain ones easier to programmatically find and why
• Encoding bug classes as read and write primitives, it easier to find specific vulnerability types -- such as memory corruption and incorrect usage of APIs
• Write a binary ninja pass to find different classes of bugs for specific example targets
• Attempt to analyze and find bugs in a ‘real world’ program
• Discussion on the future of the field. How would machine learning help us determine the harder types of bugs – logic bugs etc

Prerequisites

Students should have prior experience in the basics of software reverse-engineering.

Software requirement

Laptop with Binary Ninja and VMware workstation 15 Pro or Fusion 11 Pro installed with a clean install of Ubuntu 18.04.

BIO

Sophia d’Antoine is a security researcher in the financial sector, focusing on program analysis. She has spoken at more than thirteen global security conferences worldwide including RECon Montreal, Blackhat, and CanSecWest on topics from automated exploitation, program analysis, machine learning, and hardware hacking. Her keynotes have included topics such as exploiting hardware CPU optimizations. Currently, She sits on the program committee for Usenix WiSec and have been on multiple peer review panels in the past. In the past, she has worked extensively on embedded devices and other unique architectures. Additionally, Sophia is the “Hacker in Residence” at NYU and enjoy assisting in hosting CTFs and other hacking competitions.

Her publications on automated exploitation, programmatic vulnerability discovery, and security focused compiler development are listed below. The basis for this is effort has been through static analysis, LLVM, and binary lifters, such as Binary Ninja.

a. asm2vec: Machine Learning for Vulnerability Discovery. Jailbreak Security Summit 2018
b. Exploiting the Blockchain: A Security Field Guide for Smart Contracts. Empire Hacking 2017
c. Joy of Pwning. Securing Your Path 2017
d. The Spirit of the 90s is Alive in Brooklyn: Program Analysis forMemory Corruption. SummerCon 2017
e. Be a Binary Rockstar: Next-level static analyses for vulnerability research. InfiltrateCon 2017
f. An Introduction to Program Analysis with Binary Ninja. CodeBlue Japan 2016, Empire Hacking 2016, Inbot: Interesting and Novel Binary Occultism Tradeshow 2016
g. Binary Constraint Solving: Automatic Exploit Generation. CanSecWest 2016, NorthSec Montreal 2016, Hack Luxembourg 2015

Evan Jensen is the co-founder and CTO of the Boston Cybernetics Institute (BCI) where he splits his time between conducting assessments for clients, performing security research, and teaching cybersecurity courses. Evan has taught reverse-engineering at BU, RPI, NYU, MIT, West Point and MIT Lincoln Laboratory. Before starting BCI, Evan worked for MIT Lincoln Laboratory's Cyber System Assessments Group and Facebook's redteam. He recently presented at SchmooCon 2019 and is currently an instructor at Tufts University, where he teaches the course Fundamentals of Software Reverse-Engineering. He is an obsessive CTF player and was CTF captain of Brooklynt_Overflow from 2012 to 2014 and founding member/captain of Lab RATs from 2014 to 2016.