Program Analysis for Vulnerability Research

Instructors:  Sophia D'Antoine & Jordan Wiens
Dates:   June 5 to 8 2023
Capacity:   25 Seats

This four-day course teaches sophisticated program analysis techniques and how to apply them to improve the auditing processes, improve your ability to identify interesting code paths, and to encode bug primitives for automated identification. Students will learn the basics of how to use Binary Ninja, and become familiar with many of the foundational program analysis theories and algorithms behind its analysis. Students will learn how to leverage the advanced analysis provided by Binary Ninja as well as how to extend it for their specific use cases. And in doing so, students will learn to perform advanced program analysis for vulnerability research across every architecture.



- Have a thorough grasp on the Binary Ninja Python API

- Familiarity with many program analysis concepts and common challenges

- The ability to write sophisticated program analysis plugins unassisted

Course Topic / Agenda

Day 1:

1. API and GUI review

2. Discussion of program analysis use cases

3. Turing machines, correctness, and formal verification

4. In depth Binary Ninja Low Level Intermediate Language (LLIL) review

5. Start to write a generic plugin with binary ninja PluginCommand to better reverse engineer language specific artifacts

Day 2:

1. SSA Form and its benefits

2. The binary ninja memory and address concept

3. Control flow analysis vs. Data flow analysis

4. Type propagation inside of a function context and cross function

5. Automatically recovering structures inside of a function context

6. Abstract Interpretation

Day 3:

1. Data flow analysis and tracing the lifetime of a variable or object

2. Path constraint solving using SAT solvers to determine reachability and to solve for input variables

3. Vulnerability discovery with binary ninja

4. Identifying “sources” and “sinks” in a program. Using taint analysis track where controlled input can reach program sinks and constraint solving to determine the boundaries of a vulnerability

Day 4:

1. Discuss bug classes, what makes certain ones easier to programmatically find and why

2. Encoding bug classes as read and write primitives, it easier to find specific vulnerability types -- such as memory corruption and incorrect usage of APIs

3. Write a binary ninja pass to find different classes of bugs for specific example targets

4. Attempt to analyze and find bugs in a ‘real world’ program

5. Discussion on the future of the field. How would machine learning help us determine the harder types of bugs – logic bugs etc


Students should have a basic to intermediate understanding of binary reverse engineering, and be able to write Python.


Students should have workstations or laptops that can run Binary Ninja (licenses are included). Most of the provided binaries are Linux-based, so students my wish to have a VM in which to run them.


Sophia d'Antoine is the founder of Margin Research, focusing on vulnerability research and program analysis. She has spoken at more than thirteen global security conferences worldwide on topics from automated exploitation, program analysis, machine learning, and hardware hacking.

Jordan Wiens used to play a lot of CTF, even winning some like DEF CON a handful of times but then they got hard and now he mostly likes to talk about them and make challenges. Professionally, he's been a network security engineer, vulnerability researcher, engineering manager, and for the last five years small business founder with two co-founders of Vector 35, makers of Binary Ninja. He's given trainings over two decades across the academic, government, and commercial sectors on reverse engineering and vulnerability research and has presented at conferences like DEF CON, BlueHat, ShmooCon, Insomni'hack, SAS, and many others.

To Register

Click here to register.