Program Analysis for Vulnerability Research

Instructors:  Sophia D'Antoine & Kyle Martin
Dates:  June 24 to 27 2024
Capacity:   25 Seats

This four-day course teaches sophisticated program analysis techniques and how to apply them to improve the auditing processes, improve your ability to identify interesting code paths, and to encode bug primitives for automated identification. Students will learn the basics of how to use Binary Ninja, and become familiar with many of the foundational program analysis theories and algorithms behind its analysis. Students will learn how to leverage the advanced analysis provided by Binary Ninja as well as how to extend it for their specific use cases. And in doing so, students will learn to perform advanced program analysis for vulnerability research across every architecture.



- Have a thorough grasp on the Binary Ninja Python API

- Familiarity with many program analysis concepts and common challenges

- The ability to write sophisticated program analysis plugins unassisted

Course Topic / Agenda

Day 1:

1. API and GUI review

2. Discussion of program analysis use cases

3. Turing machines, correctness, and formal verification

4. In depth Binary Ninja Low Level Intermediate Language (LLIL) review

5. Start to write a generic plugin with binary ninja PluginCommand to better reverse engineer language specific artifacts

Day 2:

1. SSA Form and its benefits

2. The binary ninja memory and address concept

3. Control flow analysis vs. Data flow analysis

4. Type propagation inside of a function context and cross function

5. Automatically recovering structures inside of a function context

6. Abstract Interpretation

Day 3:

1. Data flow analysis and tracing the lifetime of a variable or object

2. Path constraint solving using SAT solvers to determine reachability and to solve for input variables

3. Vulnerability discovery with binary ninja

4. Identifying 'sources' and 'sinks' in a program. Using taint analysis track where controlled input can reach program sinks and constraint solving to determine the boundaries of a vulnerability

Day 4:

1. Discuss bug classes, what makes certain ones easier to programmatically find and why

2. Encoding bug classes as read and write primitives, it easier to find specific vulnerability types -- such as memory corruption and incorrect usage of APIs

3. Write a binary ninja pass to find different classes of bugs for specific example targets

4. Attempt to analyze and find bugs in a 'real world' program

5. Discussion on the future of the field. How would machine learning help us determine the harder types of bugs � logic bugs etc


Students should have a basic to intermediate understanding of binary reverse engineering, and be able to write Python.


Students should have workstations or laptops that can run Binary Ninja (licenses are included). Most of the provided binaries are Linux-based, so students may wish to have a VM in which to run them.


Sophia d'Antoine is the founder of Margin Research, focusing on vulnerability research and program analysis. She has spoken at more than thirteen global security conferences worldwide on topics from automated exploitation, program analysis, machine learning, and hardware hacking.

Kyle Martin is a cyber security software engineer and educator, focused on making all things "binary" easier for humans to understand. Kyle first started teaching at 15 when he became the head counselor at a summer-long computer camp, rewriting their C++ and x86 assembly courses. More recently Kyle led the body of students behind CSAW CTF and CSAW Red, including the internal training initiative enabling students to write the renowned challenges that distinguished those competitions. Now, Kyle runs reverse engineering focused trainings internationally. Kyle brings with him the expertise and support of the entire Vector 35 team, creators of Binary Ninja.

To Register

Click here to register.