This class teaches you how to disassemble binaries, read RISC-V assembly language, and debug black-box binaries in GDB.
ABSTRACT
RISC-V is the new hotness! It's going to take over the world! But what is RISC-V, and why should you care?
RISC-V is an open source Instruction Set Architecture (ISA). Or, in reality, a small, tight-nit family of ISAs and ISA extensions. The multiple ISAs allow it to be modular and be cut down to work for a 32-bit embedded system, or scaled up for a 64-bit desktop system.
But it's the open-source aspect of RISC-V which is what will make it take over. In a world where many embedded device makers use ARM ISAs, but have to pay ARM a licensing fee, what company wouldn't want to investigate making their chips without paying licensing fees to ARM, or Tensilica, or others? E.g. in 2022 Espressif indicated they'll be using RISC-V exclusively for all future chips. So in the same way that Linux found some clearly beneficial early niches, and kept expanding from there, RISC-V has begun to find its niches, and natural market forces will cause it to continue expand.
This class teaches you how to disassemble binaries, read RISC-V assembly language, and debug black-box binaries in GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.
ONE OF A KIND CLASS FORMAT
Because we give you all the lecture and lab materials and videos after class, what you're really paying for is support from the instructor! So you'll be entitled to keep asking up to 20 questions after class, with 1-2 hour turnaround answers (after accounting for time-zone differences.) This lets you keep productively working through the material if you run out of time at the conference. If you'd like to learn more about the benefits of this style of class delivery, please read this blog post.
KEY LEARNING OBJECTIVES
- Learn the RV32I base instruction set for 32-bit programs
- Learn the RV64I base instruction set for 32-bit programs
- Learn the "C" standard extension for compressed instruction encoding (16-bit encoding instead of 32-bit)
- Learn the "M" standard extension for multiplication, division, and remainders
- Learn about the 32 RISC-V general purpose registers + the Program Counter (PC)
- Understand the at time confusing or counter-intuitive compiler-isms of GCC which lead to particular patterns in executables' assembly.
- Learn to debug and analyze RISC-V executables which you don't have the source code for, in GDB.
- Learning how to write C code and disassemble it to see what instructions were generated. But also learning how to write assembly to see how it behaves, or even raw bytes to see how the assembler and processor interprets it.
- Being comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work.
- Reverse engineer the black box Carnegie Mellon "Binary Bomb Lab", which has changed the lives of so many students (the instructor included!) This is a major hands-on reverse engineering exercise (which can take anywhere from 2 hours to 2 weeks!) which has been shared the world over by thousands of students. This gives you something substantive to chew on even after class to really reinforce your understanding and capability to read assembly.
- Using Ghidra to debug the binary bomb lab in an emulated environment
COURSE DETAILS
AGENDA
- Introduction
- Registers
- Your first instruction - No-op.
- Instructions learned: NOP, ADDI
- Just returning from a function + learning about the stack.
- Instructions learned: LI, RET, JR, JALR, SD, LD, MOV, C.JR, C.SDSP, C.LDSP, C.ADDI4SPN, C.ADDI
- Understanding local variables.
- Instructions learned: SW, LW, SH, LH, LHU, SB, LBU, LB, LUI, AUIPC, ADD, ADDW, ADDIW, SUBW, SEXT.W, C.MV, C.ADDI16SP, C.LD, C.ADD, C.ADDIW
- Calling functions and calling conventions.
- Instructions learned: JAL, CALL, J, SUB, C.SUB
- Boolean operations.
- Instructions learned: AND, OR, XOR, NOT, C.AND, C.OR, C.XOR, XORI, ANDI, ORI, ZEXT.B
- Control flow.
- Instructions learned: BNE, BGE, BGEU, BLT, BLTU, BNEZ, C.BNEZ, BEQZ, BEQ, C.BEQZ, BGTZ, BLTZ
- Bit shifting.
- Instructions learned: SLLI, SRLI, SRAI, SLL, SRL, SRA, SLLW, SRLW, SRAW, SLLIW, SRLIW, SRAIW, LWU, C.SUBW, C.SLLI, C.SRLI, C.SRAI
- "Set-if" instructions.
- Instructions learned: SNEZ, SLTU, SGTZ, SLT, SLTI, SLTIU
- The stragglers that we just need to collect in order to complete our full set of base 32 and 64-bit instructions!
- Instructions learned: FENCE, ECALL, EBREAK
- "M" standard ISA extension - Multiplication, Division, and Remainder.
- Instructions learned: MUL, DIVU, REMU, MULHU, MULW, DIVUW, REMUW, DIV, REM, DIVW, REMW, MULH, MULHSU
- Read The Fun Manual!
- Writing inline assembly for fun and understanding!
- The infamous CMU Binary Bomb - now with 100% more RISC-V!
- Optional instructions for how to do this lab using Ghidra as the debugger!
- Conclusion
KNOWLEDGE PREREQUISITES
This class has minimal prerequisites. It just requires that you are comfortable with reading small (< 20 line) C programs, and have debugged C source code in the past.
SYSTEM REQUIREMENTS
Hardware Requirements
- A PC or an x86 Mac (class won't work with an M1 Mac!) capable of running 1 VM at a time with ideally 4 GB of dedicated RAM.
- Headphones for watching videos, (preferably over-ear so you're not disturbed as the instructor is walking around the class answering individuals' questions).
Software Requirements
- Administrator privileges to install virtualization software on your machine.
- A PC with VMWare Workstation or an x86 Mac with VMWare Fusion (the free "Player" versions are fine).
- A link to software setup guide will be sent before class, and the student should install before class to maximize time available for interaction with the instructor.
ABOUT THE INSTRUCTOR
Xeno began leading Windows kernel-mode rootkit detection and defense research projects at MITRE in 2009, before moving into research on BIOS security in 2011. His team's first public talks started appearing in 2013, which led to a flurry of presentations on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore. And after presenting a firmware worm that could spread between Macs via Apple's EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals - everything from 3rd party GPUs to SecureBoot for monitors! He worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture - being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2.