The purpose of the course is to introduce students with prior basic exploitation experience (on other architectures) to "real world" exploitation scenarios on the ARM processor architecture. The reality is that exploitation these days is harder and a bit more nuanced than it was in the past with the advent of protection mechanisms like XN, ASLR, stack cookies, etc. As such, this course is called "practical" because it aims to teach exploitation on ARM under the real-world circumstances in which the exploit developer will encounter (and have to circumvent) these protection mechanisms. The course materials focus on advanced exploitation topics (circumventing protection mechanisms) using Linux as the platform as a basis to learn the ARM architecture but with the obvious applications being platforms running on mobile phones, tablets, embedded devices, etc.
Our hope is that students with some previous exploitation experience go from knowing nothing about ARM on the first day to exploiting custom heap implementation (bypassing ASLR, NX) using their hand-built ROP connect-back-shell payload on the the last day.
Class Syllabus:
Day 1: Laying the Ground Work (with an eye to exploitation)
Slide Deck: "Intro"
Instructor Bios, Course Outline/Schedule, Course Goals
Slide Deck: "Introduction to the ARM Architecture"
Architecture Summary/Layout, Instructions/Registers, Instructions Modes, nuances
Lab: "Basics 1":"GDB"
Use GDB to debug/modify a faulty ARM app, rudimentary code injection.
Lab: "Basics 1B": "IDA"
Use IDA Pro to get familiar with ARM-isms: calling convention, IDA's ARM quirks.
Lab: "Basics 2":"Spotting Vulns in Source"
Students audit some little code snippets. (Student skills baseline/assessment tool).
Slide Deck: "Tools and the Lab Environment"
Intro to the QEMU ARM setup, intro to the exercises, intro to custom tools to assist with labs.)
Lab: "Basics 3": "IDA and GDB tag-team"
Use IDA and GDB in tandem to comprehend application flow subvert the app.
Lab: "Basics 4"
Trace through ARM app (dealing with ARM-isms: calling conventions, parameters) to reverse engineer and subvert a blackbox password app with embedded crypto.
Slide Deck: Shellcoding, ELFs, Dynamic Linking
Review of dynamic linking in ELFs. Intro to authoring ARM shellcode
Lab: "Basics 5": "Shellcoding"
Students modify assembly code stub, assemble it, and extract the shellcode to be loaded into an "loader" app.
Slide Deck: "Stack Overflows"
Basics of Stack Overflows (NOP sleds, bouncepoints, etc). Intro to defensive countermeasures: stack cookies, and subverting with "ROP-lite" return-to-libc. Finding bouncepoints on ARM. Nuances of stack overflows on ARM. The rediculousness of NOP sleds...
Lab: "Simple Stack Overflow"
Find and exploit a stack overflow bug in a vulnerable app. Students modify a "test harness" that both triggers the vulnerabilty and injects the payload. Modification of the harness with apppropriate addresses demonstrates comprehension.
Day 2: Basic to Intermediate Techniques
Review yesterday afternoon: Simple Stack Overflow walkthrough again.
Slide Deck: "Stack Overflows and Ret2Libc"
Introduce Non executable stack (XN)" and how to subvert it with Return-to-Text or commonly inaccurately referred to as (Return-to-LibC" or as we call it: "ROP Lite". Students get stepped through a vulnerability to see how this works step-by-step. (We come back to the nuances of ROP gadget finding later in the course)
Lab: "Simple Stack Overflow: XN Stack"
Using a "test harness" containing gadgets we give to the student (expecting them to just accept them for now until we come back to go into ROP-gadget finding in more detail later) to find and exploit a XN stack app by returning to mprotect()
Slide Deck: "Advanced Stack Overflows"
Introduction to XN, ASLR, and Stack cookies on on ARM. Discuss and see examples of ways to subvert stack cookies. (overwriting __stack_chk_guard, info disclosure bug, partial/full pointer overwrites, exception-handler overwrites)
Lab: "Advanced Stack XN"
Students exploit network based service that uses XN and Stack Cookies using partial pointer overwrites and ROP-Lite techniques
Slide Deck: "ROP"
Discuss reason for ROP (Code signing, ASLR, cookies). techniques/tools for manually finding gadgets manually on ARM. A walkthrough of useful gadgets found on our target. Structure of Gadgets"Chaining versus non-Chaining gadgets". Some ROP tricks/nuances on ARM.
Lab: "Custom ROP simplified"
Students find and exploit a vulnerable application by building a custom payload by stringing together a bunch of ROP gadgets (found for them by the instructors on the target).
Slide Deck: "ROP" (go through this as refresher same as above)
Lab: "Custom ROP with full root shell"
Students exploit a vulnerable application by handcrafting a ROP payload (with given gadgets) to obtain a full rootshell on the host.
Day 3 & 4: Intermediate to Advanced Techniques
Slide Deck: "Basic Heaps"
Intro to Heap Overflows on ARM: How stuff goes wrong, grooming/feng-shui-ing, etc. examining a toy heap implementation, TCMalloc's thread-cache freelist, and ways we can exploit all of these.
Lab: "Simple Heap Unlink"
Student will exploit a contrived network server, associating "protocol" events with heap events. Students will groom the target and exploit it with provided payload.
Slide Deck: "More Heaps"
More on heap exploitation. Singly Linked List (LIFO) exploitation. Review of Heap Overflow mitigations, taking a closer look at TCMalloc.
Lab: "Simple Heap (WMW) Write Me Where"
Student will exploit a contrived network server (this time that uses TCMalloc), associating "protocol" events with heap events. Students will groom the target and exploit it with a payload they must modify.
Slide Deck: "Application Level Heap Attacks"
Introduce application level exploitation: Techniques for investigating these kinds of vulnerabilities. Exploiting VTable overwrites, partial/full pointer overwrites.
Lab: "MultiHeap"
Student will locate and trigger a heap overflow in a custom heap implementation. Student will use heapspray and VTable overwrites to successfully exploit the application.
Slide Deck: "Stack Flipping"
Combining concepts introduced earlier (XN, ROP, and heap overflows) students will be introduced and shown how to evade XN by "flipping" the call stack into forged stack frames on the heap. Students will also be introduced to techniques and "gotchas" around finding "pivots" and nuances about ARM that make this more interesting.
Lab: "MultiHeap XN"
Students will use a heapspray or similar technique to overwrite a C++ object to create a fake vtable entry that redirects the stack pointer into the heap...executing their ROP payload to get a shell.
Slide Deck: "Defeating ASLR"
Students will be introduced to ASLR and how it is implemented as well as many of the nuances of how to defeat ASLR (infoleaks, developer debug code, RPC/RMI leaks, predictable ASLR PRNG, uninitialized mem, JIT, etc).
Lab: "MultiHeap XN ASLR"
Students will find and exploit an information disclosure vulnerability to remotely determine the location of libc and successfully craft (modify a given) payload to successfully evade XN, ASLR, and obtain a connectback shell into the owned application.
Slide Deck: "Conclusions - Closing"
http://www.armexploitation.com/"Makers," Tinkerers, Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.
Stephen A. Ridley is a principal researcher at Xipiter and chief architect at Senrio Inc (http://senr.io) . He has more than 10 years of experience in software development, software security, and reverse engineering. Prior to Xipiter, Mr. Ridley served as the Chief Information Security Officer of a financial services firm and prior to that was a Senior Researcher at Matasano. He also was Senior Security Architect at McAfee, and a founding member of the Security and Mission Assurance (SMA) group at a major U.S defense contractor where he did vulnerability research and reverse engineering in support of the U.S. intelligence community. He has spoken about reverse engineering and software security at Black Hat, ReCon, CanSecWest, EuSecWest, Syscan and other prominent information security conferences. Stephen is a co-author of "The Android Hacker's Handbook" published by Wiley & Sons.