Training


List of training sessions for Recon 2023:



Automating Reverse Engineering with Machine Learning, Binary Analysis, and Natural Language Processing

Reverse engineering (RE) applications (e.g., malware detection, firmware/vulnerability analysis, and software bill of material [SBOM] generation) have historically been manual and time-intensive endeavors that often requires highly skilled practitioners. The prevalence of malware and the growth and ubiquity of IoT devices have created a need for automating reverse engineering in a manner that can scale well and meet the performance/business requirements.


 

click here for more details



Modern Windows Malware OPSEC & Anti-Reverse Techniques Implementation and Reversing 

This course will present an in-depth description of the techniques implemented in modern malware to evade defenders and security products (such as AV, IPS, IDS, EDR), and how attackers design and operate their implants in order to ensure a prompt redeployment after a detection or a public disclosure by researchers or security vendors.
 

click here for more details



Practical Browser Fuzzing 

Web Browsers are one of the world's most used and critical software. Using millions of lines of code, they handle, sanitize, and interpret all kinds of (untrusted) data from the web. To be honest, It’s impossible for developers to write such complex pieces of software (involving compilers, interpreters, and parsing libraries) without introducing any bugs. As shown in the last years, fuzz testing is the most efficient and scalable testing technique to find software bugs. In this training, we will apply fuzzing to find critical vulnerabilities in different web browser implementations.


 

click here for more details



Software Deobfuscation Techniques

Code obfuscation has become a vital tool to protect, for example, intellectual property against competitors. In general, it attempts to impede program understanding by making the to-be-protected program more complex. As a consequence, a human analyst reasoning about the obfuscated code has to overcome this barrier by transforming it into a representation that is easier to understand. In this training, we get to know state-of-the-art code obfuscation techniques and look at how these complicate reverse engineering. Afterwards, we gradually familiarize ourselves with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques.


 

click here for more details



The ARM IoT Exploit Laboratory

The world of ARM IoT devices is growing rapidly. Routers, IP cameras, Network video recorders, VoIP systems and several other "smart" appliances are now running on ARM SoCs. While the hardware is the latest and greatest, the software running on it is a different story.

The ARM IoT Exploit Laboratory is a newly updated class. This class takes a closer look at the hardware and the firmware running on it. Students shall learn how to analyse, emulate and exploit the firmware on a variety of ARM IoT devices. The class starts with extracting the firmware directly from the devices, moves on to creating an emulated test environment for fuzzing and debugging, and writing end to end exploits for the devices. The class shall feature an array of hardware targets of varying complexity. Students shall have ample time for hands on exercises to sharpen their exploitation skills.


 

click here for more details



Reversing with Ghidra

This is a hands-on course on using Ghidra for reverse engineering and vulnerability research. Exercises include Windows binaries, Linux binaries, and device firmware. Binaries will also be in a variety of architectures, including ARM, PowerPC, MIPS, x86, and x64. After completing this course, students will have the practical skills to use Ghidra in their day-to-day reversing tasks.


 

click here for more details



Windows Internals for Reverse Engineers

Covering Windows 11 (22H2), the upcoming Windows 11 “Zinc” (23H2), and Server 2022, you’ll unravel how bootkits, software supply chain implants, backdoors, and other kernel and firmware malware work.. You’ll learn how they, and others, abuse various system functionality, obscure mechanisms, and data structures, in order to do their dirty work, and how you can too defend against it! You’ll observe and experiment with how kernel-mode code operates and how it can be subject to compromise by user-mode attackers wishing to elevate their privileges, as well as how to detect, both live and forensically, such attempts. Finally, you’ll learn about how CPU architecture deeply ties into OS design, and how Intel’s and AMD’s mistakes can lead to more pwnage. We’ll cover the new Windows 11 kernel changes, including Kernel Data Protection (KDP), eXtended Control Flow Guard (XFG), and Kernel Control-flow Enforcement Technology (KCET), and explain how the Trusted Platform Module (TPM) is used for Measured Boot. We’ll go inside the Octagon and learn about System Guard Runtime Assertions and the rewritten Secure Launch framework that leverages Intel TXT and AMD SKINIT for new DRTM-based attestation.


 

click here for more details



Automated Analysis with Ghidra

This course teaches students methods to leverage Ghidra scripting in support of automated large-scale vulnerability analysis, similarity analysis, and general reverse engineering tasks. Students will develop scripts in Python, Kotlin, and Java to automate the extraction of data (e.g., strings, mnemonic frequency, function signatures, block sizes, cyclomatic complexity, etc.) from an arbitrary number of binaries across different architectures. After completing this course, students will have the practical skills to automate and extend Ghidra with scripts and modules.


 

click here for more details



Advanced IC Reverse Engineering & Data Extraction

When it comes to encrypted devices, one may want to gather embedded evidences while another would like to be able to check if a hardware backdoor is present or if the component and / or its embedded firmware (boot ROM / user code) contain intrinsic breaches, that could be exploited by a pirate. The primary goal of this training is to provide Digital Forensics & Security Professionals as well as Government Services the skills, mindset and background information necessary to successfully: -Recover ICs internal architectures -Evaluate the efficiency of existing countermeasures -Extract NVMs contents (ROM & Flash), in order to analyze and evaluate the security of the embedded firmware, and extract secret informations The Students will be shown how such informations can be used to define easier methods to find / exploit firmware + hardware weaknesses for vulnerability analysis as well as for embedded evidence extraction purposes. Concretely, Students who complete this course will: -Find out how to perform low-level hardware reverse engineering -Develop analysis strategies for the target devices and apply these strategies to recover their embedded data


 

click here for more details



Advanced Malware Reverse Engineering

This 4 days course is a hands on training. We are going to reverse engineer samples and code our own scripts. A minimum number of slides will be provided when methotology is needed, but students will "learn by doing"


 

click here for more details



Program Analysis for Vulnerability Research

This four-day course teaches sophisticated program analysis techniques and how to apply them to improve the auditing processes, improve your ability to identify interesting code paths, and to encode bug primitives for automated identification. Students will learn the basics of how to use Binary Ninja, and become familiar with many of the foundational program analysis theories and algorithms behind its analysis. Students will learn how to leverage the advanced analysis provided by Binary Ninja as well as how to extend it for their specific use cases. And in doing so, students will learn to perform advanced program analysis for vulnerability research across every architecture.


 

click here for more details



Ethereum Smart Contract Security 

Smart contracts are still a relatively new target surface area for vulnerability research with new bug classes and exploitation techniques. Smart contracts lack traditional protection mechanisms to hinder exploitation such as CFG, DEP, PXN, or different hypervisor protections/mitigations. With the growing popularity of DeFi and other dApps, smart contract security is one of the largest problems in the Ethereum space. 

 

This course will do a deep dive into different bug classes and how to exploit and protect against them. Exploitation of blockchain fundamentals such as Maximum Extractable Value (MEV) or other types of bot activity will also be examined 


 

click here for more details



MacOS Ventura and iOS 16 Kernel Internals for Security Researchers 

This course introduces you to the low level internals of the iOS and macOS kernels from the perspective of a security researcher interested in vulnerability analysis, kernel rootkit/malware analysis/detection or kernel exploit development. While this course is concentrating on MacOS Ventura on the ARM64 cpu architecture the latest security enhancements of iOS 16 and some differences to the x86_64 architecture will also be discussed. The course material was heavily updated in comparison to the last time it was run pre-pandemic at Recon 2019. 


 

click here for more details



RISC-V Security Training 

This Recon training program has been redesigned to suit Recon students looking for tactical exploit development skills when targeting RISC-V platforms. This training previously focused on the RISC-V architecture, CPU architecture security, and exploiting CPU design flaws. However, due to popular demand, this training has been augmented with guided laboratory examples for the exploitation of both CPU design flaws and software vulnerabilities at the firmware, kernel, and userland layers.  


 

click here for more details



Practical Baseband Exploitation 

Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim’s device by emulating a GSM or LTE base station as a difficult objective. 

In reality, baseband exploitation is not as challenging! By following a simple list of steps, a baseband platform can be quickly opened up for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research - from setting up a fake base station using SDR and open-source BTS software, to achieving initial debugging abilities using our embedded hooking framework, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them.


 

click here for more details