This class teaches developers how to avoid writing implementation flaws, or detect ones that are already in their code...but it also teaches vulnerability-hunters how to find the flaws as well!
ABSTRACT
Dual-purpose class: This class teaches developers how to avoid writing implementation flaws, or detect ones that are already in their code...but it also teaches vulnerability-hunters how to find the flaws as well! So it's an epic battle between contentious developers and devious vulnerability hunters! Who will win?! Whoever most takes the lessons of this class to heart!
This class features 73 detailed explanations of real CVEs from the past few years, to teach you to hone your "sploity sense" with real vulnerabilities, not fake ones!
ONE OF A KIND CLASS FORMAT
Because we give you all the lecture and lab materials and videos after class, what you're really paying for is support from the instructor! So you'll be entitled to keep asking up to 20 questions after class, with 1-2 hour turnaround answers (after accounting for time-zone differences.) This lets you keep productively working through the material if you run out of time at the conference. If you'd like to learn more about the benefits of this style of class delivery, please read this blog post.
KEY LEARNING OBJECTIVES
- Learn to recognize the common programming errors that lead to the most frequent causes of exploitable vulnerabilities:
- (Linear) stack buffer overflows
- (Linear) heap buffer overflows
- (Non-linear) out-of-bound writes
- Integer overflows/underflows
- Other integer issues (e.g. bypassing sanity checks due to signed comparisons, integer truncation/extension errors, sign extension errors.)
- Uninitialized data access
- Race conditions (double fetch, TOCTOU)
- Use-after-free
- Type confusion
- Information disclosure
- Learn what options developers have in terms of prevention, detection, and mitigation for each vulnerability type.
- Showing examples of exploitation of a subset of the example vulnerabilities, that might otherwise seem unexploitable.
- An explicit non-goal is to teach the student how to exploit the vulnerabilities themselves. That will be covered in a future class. (Therefore this class's applicability stops at "secure development" or "vulnerability auditor", and doesn't extend to "exploitation engineer".)
COURSE DETAILS
AGENDA
- Class Introduction
- Attacker motivations & capabilities
- Stack Buffer Overflows
(Key: 🌚 = 0day in the wild, 🪡 = includes exploit explanation) - Overview
- Heap Buffer Overflows
- Overview
- Non-linear Out-of-bounds Writes (OOB-W)
- Overview
- Integer Overflows/Underflows
- Overview
- Other Integer Issues
- Overview
- Conclusion for Part 1
- Overview
- Race Conditions
- Overview
- Use-After-Free (UAF)
- Overview
- Type Confusion
- Overview
- Information Disclosure
- Overview
- Conclusion for Part 2
- Choose-your-own-adventure. Select the examples you're most interested in from:
- CVE-2022-22252
- CVE-2022-29181
- CVE-2020-9833
- CVE-2021-3947
- CVE-2020-25624
- CVE-2019-8921
- CVE-2021-22898
- CVE-2021-22925
- Prevention, Detection, Mitigation (it's doing all the things to PDM the root-cause bug classes that lead to info disclosure!)
- Choose-your-own-adventure. Select the examples you're most interested in from:
- CVE-2021-1732🌚🪡 & CVE-2022-21882🌚
- CVE-2020-3853
- CVE-2021-30857
- CVE-2020-27932🌚 & CVE-2021-30869🌚
- CVE-2021-41073
- CVE-2022-1786
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Choose-your-own-adventure. Select the examples you're most interested in from:
- CVE-2020-29661🪡
- CVE-2021-28460
- CVE-2020-2674
- CVE-2020-2758
- CVE-2021-36955
- CVE-2020-9715
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Choose-your-own-adventure. Select the examples you're most interested in from:
- CVE-2019-11098🪡
- CVE-2021-4207
- CVE-2021-34514
- 2022-CVE-None-MSMu
- CVE-2020-7460
- 2019-CVE-None-QualcommWiFiSB
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Choose-your-own-adventure. Select the examples you're most interested in from:
- CVE-2019-1458🌚🪡
- CVE-2022-26721
- CVE-2022-1809
- CVE-2021-3608
- CVE-2022-29968
- CVE-2021-27080
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Uninitialized Data Access
- Choose-your-own-adventure. Select the examples you're most interested in from:
- CVE-2019-15948🪡
- CVE-2019-14196
- CVE-2019-20561
- CVE-2020-15999🌚
- CVE-2020-17087🌚
- CVE-2021-33909 "Sequoia"
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Choose-your-own-adventure. Select the examples you're most interested in from:
- CVE-2020-0796🪡 "SMBGhost"
- CVE-2019-5105
- CVE-2019-3568🌚
- CVE-2019-14192
- CVE-2020-11901 (Part of "Ripple20")
- CVE-2020-16225
- CVE-2020-17443 (Part of "Amnesia:33")
- CVE-2021-30860🌚
- CVE-2021-22636
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Choose-your-own-adventure. Select the examples you're most interested in from:
- CVE-2019-10540🪡
- CVE-2020-0938🌚
- CVE-2020-1020🌚
- CVE-2020-13995
- CVE-2020-27930🌚
- CVE-2021-26675 "T-BONE"
- CVE-2021-28216
- CVE-2022-25636
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Choose-your-own-adventure. Select the examples you're most interested in from:
- CVE-2020-0917🪡
- CVE-2019-7287🌚
- CVE-2020-11901 (Part of "Ripple20")
- CVE-2020-25111 (Part of "Amnesia:33")
- CVE-2020-27009 (Part of "NAME:WRECK")
- CVE-2021-21555
- CVE-2021-42739
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Choose-your-own-adventure. Select the examples you're most interested in from:
- CVE-2021-21574🪡 "BIOS Disconnect"
- CVE-2022-0435
- CVE-2018-9312
- CVE-2018-9318
- CVE-2020-10005
- CVE-2021-20294
- CVE-2021-43579
- 2021-CVE-None-BaseBand#1
- CVE-2022-0435
- Prevention
- Writing good sanity checks, by example
- Safer C runtime API options
- FORTIFY_SOURCE
- Piecemeal type-safe language usage
- Detection
- FORTIFY_SOURCE
- Manual code auditing guidance
- Commercial static analysis tools
- Fuzzing
- Address Sanitizer
- Mitigation
- Stack Canaries
- Address Space Layout Randomization (ASLR)
- Non-Executable Memory
- Control Flow Integrity (CFI)
- Tagged Memory
REQUIREMENTS
Hardware Requirements
- Any computer capable of watching online videos.
- Headphones for watching videos, (preferably over-ear so you're not disturbed as the instructor is walking around the class answering individuals' questions).
Software Requirements
- Git and Subversion to check out vulnerable code.
- Your favorite code-reading software / IDE. If you don't have a favorite, Eclipse is recommended because it works the same on all OSes, and a usage guide will be given.
- A link to a software setup guide will be sent before class, and the student should install them before class to maximize time available for interaction with the instructor.
ABOUT THE INSTRUCTOR
Xeno began leading Windows kernel-mode rootkit detection and defense research projects at MITRE in 2009, before moving into research on BIOS security in 2011. His team's first public talks started appearing in 2013, which led to a flurry of presentations on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore. And after presenting a firmware worm that could spread between Macs via Apple's EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals - everything from 3rd party GPUs to SecureBoot for monitors! He worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture - being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2.