Black Hat DC 2009 Briefings and Training

February 16-17

Analyzing Software for Security Vulnerabilities

Halvar Flake

Overview:

The C programming language gives the programmer a lot of rope to hang himself with - and C++ just adds to the feature list. Both languages have an impressive number of subtle pitfalls, and many of these can be leveraged by a skilled attacker to execute code on a computer on which these vulnerable programs run. But while almost everybody seems to understand the significance of these programming mistakes, few actually sit down and analyze code from the security analysis perspective. This workshop focuses on teaching security-specific code-analysis, both in source and in binary form.

Day One: Basics
The first day will start out with a thorough review of common (and not so common) security-critical bugs in C, and discuss a number of methodologies used for finding such mistakes. A few problems specific to C++ code will be covered, and tools that can help in the process of code analysis will be discussed.

As a next step, the connection between C/C++ and the generated assembly code will be treated: How do high-level-language features such as switch()-statements, conditionals, class inheritance etc. translate to the assembly level? How can a reverse engineer reconstruct parts of them?

Day Two: Automation
The second day is dedicated to semi-automation of the analysis process: Visualization tools will be used to facilitate program understanding, IDAPython scripts for structure/object reconstruction and other repetitive tasks will be created and used. Once we have a decent toolkit, we will start the analysis of a closed-source application in the hope of finding security bugs.

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Trainer:

Halvar Flake

is SABRE Labs' founder. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network security over time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development.