This four-day training will teach students without prior experience,
how to develop exploits for MODERN BINARY SOFTWARE, taking them from
1990s style stack buffer overflows through contemporary EXPLOITATION
OF PROGRAMS PROTECTED BY NX, ASLR, and stack canaries. We focus on
exploiting Linux user mode x86/x64 binaries, but the lessons learned
from the class are widely applicable to other platforms and
architectures. The course is taught by a an RPISEC alumnus who
co-authored the initial development and teaching of the MODERN BINARY
EXPLOITATION COURSE ( https://github.com/rpisec/mbe
[https://github.com/rpisec/mbe] ), but the material for this course
is all new.Instruction will focus on teaching students how to reason
about the fundamental structures that give rise to software
vulnerabilities, underlie various exploitation techniques, and drive
mitigation development. Students will leave with hands-on experience
writing real exploits, and the theoretical knowledge necessary to
approach exploiting novel 0-day vulnerabilities and bypassing
anti-exploitation mitigations.
TEACHING
Course instruction will be conducted primarily through
hands-on-keyboard exercises rather than lecturing. The course will use
challenges which give students real-time feedback. The entire class
will regularly sync up as a group to discuss concepts, problems, and
solutions.
LEARNING OBJECTIVES
*
Students will learn about vulnerabilities in C code and how to take
these vulnerabilities from crash to arbitrary code execution
*
Students will gain experience writing software exploits, from 1990s
stack buffer overflows to contemporary use-after-frees
*
Students will develop and deploy shellcode/ROP payloads for their
exploits
*
Perhaps most importantly, students will come away from the class with
a firm grasp of the fundamental principles that underlie software
vulnerabilities and anti-exploitation mitigations. Students will have
the skills to reason about how they might go about exploiting new
0-day vulnerabilities, creating effective mitigations against
exploitation, and evaluating and bypassing novel mitigations.
PREREQUISITES
This training is designed to teach EXPLOITATION TO INDIVIDUALS WITH
LITTLE TO NO PRIOR BACKGROUND IN THE FIELD, but are expected to have
a solid grasp of programming in C or C++, and basic knowledge of the
Linux command line. Prior experience with reverse-engineering and/or
reversing x86/x64 assembly, and debugging with GDB are nice to have,
but definitely not required.
LOGISTICS
SCHEDULE
Course Length: 4 Days
Class Hours: Tuesday - Friday, 8:30am - 6:00pm
COURSE LOCATION
30 JFK St, Unit Basement, Cambridge, MA 02138
CLASS SIZE
18 Students
FACILITY
Many other course providers, such as those found at security
conferences, require students to bring their own equipment and
licensed software. Hardware incompatibilities, software
incompatibilities, open source substitutes and configuration issues
can all burn valuable instruction time.
At BCI, we provide each student with all the necessary equipment for
the course in a dedicated 1200 square foot classroom with plenty of
room for each student. No preparation or equipment is necessary. All
you have to do is show up and learn!
In our classroom, each student is provided:
- 28" 4k monitor
- Desktop computer with 7th generation intel processors
- 16GB RAM
- Ergonomic keyboards and mice
- Windows 10
- Linux (Ubuntu 18.04)
- VMware Workstation
- Licensed copy of IDA Pro
TOPICS
CLASS OUTLINE
Day 1: Fundamentals
* Program structure
* Disassembly and Debugging with IDA Pro and GDB
* x86 refresher
* Basic bug classes
* Hijacking control flow
* Stack overflows
* The Linux syscall interface
Day 2: Classic Exploitation and Shellcoding
* Stack cookies
* Corrupting application data
* Shellcoding
* Corrupting function pointers
* Arithmetic and integer errors
* DEP
* Ret2libc
* Intro to ROP
Day 3: Modern Mitigations and Techniques
* ASLR
* Heap overflows
* UAF
* Heap grooming
* C++ bug classes and exploitation
Day 4: Putting It All Together
* Combining primitives
* Reasoning about mitigations and bypasses
* Exploitation on other platforms and architectures
* Continuity of execution
* Weird machines
TEACHING METHODOLOGY
The most important quality that distinguishes BCI from our competitors
is our emphasis on teaching. Our approach is heavily influenced by the
unparalleled teaching effectiveness of Capture-the-Flag (CTF)
exercises. We also use the following principles in our teaching:
1. ENVIRONMENT: Lighting, music, structured breaks. Our experience
shows that the environment can improve focus, learning outcomes,
attitude, and stamina.
2. TEAM-BASED: Our classes are structured to prepare students for what
they're going to experience outside of the classroom. Students will
work individually, in pairs, and in teams.
3. HANDS-ON EXERCISES: 95% of the learning that occurs in our
classroom will be due to students applying their skills to do
something, not just memorize knowledge to know something.
4. IMPOSSIBLE TO CHEAT: Any solution that meets the requirements is
valid. It is our job as the course designers to create real barriers
to shortcuts and not just ask students to imagine them. Because the
problems are real, the only way to succeed is by finding real
solutions.
5. COMPOSABILITY: Students compose the solutions for exercises into
larger capabilities for use in later exercises.
6. IMMEDIATE FEEDBACK: Every effort is given to design automated
validation mechanisms which allow students to know immediately if they
have completed their goal or not. An example of this are CTF flags or
passwords in crackme’s.
7. OBJECTIVE SOLUTIONS, SUBJECTIVE APPROACHES: No one will ever wonder
if they have the correct answer, it will be self-evident and
objective. How the solution was discovered or implemented is left as a
creative exercise. We fully expect students to create solutions we
never considered and will encourage them to do so.
8. VARIABLE PACING: Students move at different paces. We make every
effort for students to always have the ability to tackle the next
exercise, without having to wait for the rest of the class.
Simultaneously, those who need additional time with exercises are
given the attention they need to be successful.
9. PEER-TEACHING: Select student submissions are uploaded to a common
repository available to the rest of the class. This allows students to
see the myriad of ways other students approach problems.
10. INSTRUCTOR FEEDBACK/SOLUTIONS: Every problem will have a provided
solution and for the most important problems, instructors will review
student solutions with each student.
11. NARRATIVE: Just as in real development, students will never have
to ask: "Why am I doing this"? Exercises will be motivated by
real-world scenarios, be referentially consistent, and build toward
larger goals.
12. REALISM: Our curriculum is influenced by current events and
relevant case-studies from years past. The emphasis is always on
realism either through representative examples or, when appropriate,
exact copies of malware.
13. MINIMAL LECTURE: As instructors, our goal is to never be the
bottleneck for students’ growth. Whenever we address the class as a
whole, it is because they are facing problems as a group and would
find it useful to hear us speak.
14. CALIBRATED DIFFICULTY: Exercises are designed and sequenced to
challenge students appropriately without overwhelming them. There are
times we use frustration as a teaching tool, but always do so
deliberately.
15. CASE STUDIES: Implant/malware development has been around for
decades now. We draw from this rich history and use case-studies to
illustrate what has succeeded or failed, and why. We use publicly
available information about the end-to-end operations and use it to
contextualize the technical lessons in the classroom.
INSTRUCTORS
JEREMY BLACKTHORNE is co-founder and lead instructor of the Boston
Cybernetics Institute (BCI). He is a former researcher at MIT Lincoln
Laboratory in the Cyber System Assessments group. There his research
focused on building and breaking cybersecurity solutions for the
military. He also created and delivered training in
reverse-engineering and exploitation to technical specialists and
management personnel from the Air Force, Navy, and Special Operations
communities. He is the co-creator and instructor of the MIT IAP 2016
Software Reverse-Engineering course [1]. He is also the co-creator and
instructor of the Rensselaer Polytechnic Institute (RPI) courses:
Modern Binary Exploitation, Spring 2015 [2] and Malware Analysis,
Spring 2013 [3]. Blackthorne was an active member of the student
security club and CTF team, RPISEC, from 2012 to 2015, where he taught
seminars on reverse-engineering, exploitation, and various other
cybersecurity topics. He served in the U.S. Marine Corps from 2002 to
2006 and completed three tours in Iraq. He has a BS in computer
science from the University of Michigan-Dearborn and an MS in computer
science from RPI. He is currently a PhD candidate in computer science
at RPI focusing on anti-analysis techniques in computer programs.
EVAN JENSEN is co-founder and CTO of BCI, where he splits his time
between performing assessments and creating solutions for clients and
teaching. He is an experienced instructor in reverse-engineering and
EXPLOITATION. Evan has taught reverse-engineering at BU, RPI, NYU,
MIT, the UNITED STATES Military Academy at West Point and MIT Lincoln
Laboratory. Before founding BCI, Evan worked for MIT Lincoln
Laboratory’s Cyber System Assessments Group and Facebook’s
redteam. He was an instructor for NYU's weekly Hack Night from 2011 to
2014, covering reverse-engineering, EXPLOITATION, and various other
cybersecurity topics [4]. He developed nearly all of the lessons for
Trail of Bits' CTF Field Guide, covering vulnerability discovery,
EXPLOITATION, forensics, and operational tradecraft [5]. Jensen was
heavily involved in teaching cybersecurity in the NYU Polytechnic
community. He was co-instructor with Dan Guido for the course
Penetration Testing and Vulnerability Analysis during Fall 2012 and
Fall 2013 [6], and was a teaching assistant for Neil Daswani for the
course Application Security during Spring 2013 [7]. Passionate about
enabling others to learn via the medium of repeated failure, he was
CTF captain of Brooklynt_Overflow from 2012 to 2014 and founding
member/captain of Lab RATs from 2014 to 2016 which placed 10th in
Defcon finals in 2017. He has a BS in computer science from NYU Tandon
School of Engineering.
REFERENCES
[1] J. Blackthorne, P. Hulin, and T. Leek, “January 2016 MIT IAP
Courses,” 2016. [Online]. Available:
https://beaverworks.ll.mit.edu/CMS/bw/iap
[https://beaverworks.ll.mit.edu/CMS/bw/iap]. [Accessed: 04-Mar-2018].
[2] P. Biernat et al., “MODERN BINARY EXPLOITATION - CSCI 4968,”
2015. [Online]. Available: ttps://github.com/RPISEC/MBE. [Accessed:
02-Apr-2018].
[3] J. Blackthorne and B. Yener, “CSCI 4972/6963 Malware
Analysis,” 2013. [Online]. Available:
http://security.cs.rpi.edu/courses/malware-spring2013/
[http://security.cs.rpi.edu/courses/malware-spring2013/]. [Accessed:
04-Mar-2018].
[4] “NYU Tandon’s OSIRIS Lab’s Hack Night.” [Online].
Available: https://github.com/isislab/Hack-Night
[https://github.com/isislab/Hack-Night]. [Accessed: 02-Apr-2018].
[5] A. Ruef et al., “CTF Field Guide.” [Online]. Available:
https://trailofbits.github.io/ctf/
[https://trailofbits.github.io/ctf/]. [Accessed: 04-Mar-2018].
[6] E. Jensen and D. Guido, “CS 6573 Penetration Testing and
Vulnerability Analysis.” [Online]. Available:
http://bulletin.engineering.nyu.edu/preview_course_nopop.phpcatoid=5&coid=14223
[http://bulletin.engineering.nyu.edu/preview_course_nopop.php?catoid=5&coid=14223].
[Accessed: 04-Mar-2018].
[7] N. Daswani, “CS-GY 9163 Application Security,” 2014. [Online].
Available:
http://bulletin.engineering.nyu.edu/preview_course_nopop.phpcatoid=9&coid=23997
[http://bulletin.engineering.nyu.edu/preview_course_nopop.php?catoid=9&coid=23997].
[Accessed: 04-Mar-2018].
culture
art
education
courses
technology
music
nightlife
sports
17409
Views
16/11/2019 Last update