On This Page

Advanced Security: for Hackers and Developers

Jared DeMott | August 1-2



Overview

As we learned in my first class, there are almost always bugs in code. We found them by auditing, fuzzing, and reversing code. Then we crafted exploits. To counter this reality, vendors have developed a variety of protections.

In this class we continue the battle. We describe a number of modern day protections: things like EMET, Isolated Heap, and CFG. We then perform hands-on lab work to show how bypasses can be constructed. This build-and-break teaching style provides the tools for vulnerability researchers, security engineers, and developers to perform cutting edge work.

The second half of the class is all about the kernel. You will learn how to debug, audit, fuzz, and exploit kernel code. The class is fast pasted, but low stress and fun. Prepare to learn!


Day 1

1. ROP
  • Lecture: EMET includes 5 ROP protections. We discuss how they work, and how they could be bypassed
  • Lab: Bypass EMET by upgrading existing working exploit

2. Use-after-free
  • Lecture: Browser vendors have added UaF protections
  • Lab: Bypass Isolated Heap and Deferred Free

3. Control Flow Integrity
  • Lecture: Describe new feature in VS 2015, used to protect program execution
  • Lab: Bypass Microsoft's Control Flow Guard

4. Browser Extension Exploitation
  • Lecture: Discuss flash and describe an exploit that was disclosed as part of the Hacking Team fiasco
  • Lab: Understand and work with the exploit

Day 2
1. Kernel Debugging
  • Lecture: Discuss the Windows Architecture, including the principles and components of the Kernel
  • Lab: Learn how to debug system code

2. Kernel Auditing
  • Lecture: Windows drivers- how they work and how to find bugs in them
  • Lab: Find bugs in the provided driver code

3. Kernel Fuzzing
  • Lecture: Syscalls, IOCTLs, User/GDI, Networking/IO stacks, etc.
  • Lab: Perform GDI/Font fuzzing

  • 4. Kernel Exploitation
  • Lecture: Teach about kernel exploits and defenses
  • Lab: Examine details of two kernel exploits: how ROP and actual elevation works

Who Should Take this Course

Anyone interesting in hard core code security and vulnerabilities. Security researchers, managers, testers, developers, security architects, etc.

Student Requirements

It is recommended that you take Dr. DeMott's "Application Security: for Hackers and Developers" course first, or have equivalent knowledge.

What Students Should Bring

Students are required to provide a laptop for the course. Your computer should have 100GB of free HD space and should have 8GB of RAM. Install ahead of time either VMware workstation/player or Fusion.

Also, if you happen to have a Licensed version of IDA pro, that is preferable to the demo version as well.

What Students Will Be Provided With

You will be given one or more virtual machines. Copy to your hard drive, and pass the portable Media to your neighbor. You may not share any course material with non-students.

Trainers

Dr. Jared DeMott is a seasoned security researcher, and has spoken at conferences such as ShmooCon, DerbyCon, BlackHat, Defcon, ToorCon, Shakacon, DakotaCon, CarolinaCon, ThotCon, GRRCon, etc. Past notable research relates to stopping a trendy hacker exploit technique (known as ROP), by placing as a finalist in Microsoft's BlueHat prize contest, and by showing how to bypass Microsoft protections, such as EMET. Jared is active in the security community by teaching his Security course, and has co-authored the book Fuzzing for Software Security Testing and Quality Assurance. DeMott has been on three winning Defcon CTF teams. He has been an invited lecturer at prestigious institutions such as the United States Military Academy, and previously worked for the National Security Agency. DeMott holds a PhD from Michigan State University.