Most trainings about Java security focus on the Security API or crypto techniques, and rarely focus the attacker perspective. This training uses both perspectives, first in focusses on the security architect/analyst PoV, and shows approaches how to identify holes in the protection infrastructure and how to close them. For this purpose we present tools like instrumenting the Java Security Manager(jChains), identify potential security bugs with static and dynamics tools, also dive into details to work efficiently with decompilers, debuggers and other tools of the trade (like JVisualVM). The second part focuses on the attacker perspective and helps to validate protection mechanisms. First it provides knowledge about the attack surface of Java-based software and then presents the attackers mindset to break the defenders assumptions. Using runtime code expertise to identify hooks to execute own code or remote control existing code is an important skill, demonstrated with analysis of real-life OpenJDK code and malware dissection.
Participants should have previous security audit experience (C,C++,Java). This includes conducting source code analysis, static analysis, overview knowledge of common exploitation techniques, runtime instrumentation, debugging post-exploitation activities. You will benefit from experience with programming in the Java Programming Language before. Students are expected to be familiar with the basic principles of Java Programming, and by that, be familiar with the API of the fundamental system libraries. Participants should know to handle the standard of procedures of developing Java programs (be able to start the compiler and runtime tools using the command line). Additionally they should be comfortable configuring JRE settings and perform low-level code analysis, including reverse engineering.
The material presented throughout this course is focused to support the theoretical fundamentals with practical examples. Being exposed to real-life examples, the ability to think around the corner and even outside the box is helpful. Therefore, the course provides the student with guidances how to understand the resources of the Metasploit framework and also public malware dumps for a better understanding of Java attacks and defences for further investigations.
The training is code focused, which means the ability to understand, edit and modify code is essential. Experience with at least Java is helpful, and exposure to C/C++ definitely helps for the native code topics, such as bug discovery with Fuzzing and the secure JNI coding part. Nevertheless, the trainer will help you to stay on track.
For the practical parts a virtual machine environment will be provided.
Students will be provided with a customized work environment utilizing a Virtual Machine image. Students will need to bring their own laptop with:
Marc Schönefeld came first into contact with computers by exposure to a C64. Since then he is infected by bits and bytes. He studied Business Informatics and joined a banking computer centre in 1997 where he worked as Software Security Architect. In 2007 he joined the Red Hat Security Response Team. Early 2010 he graduated with a Dr. rer. nat. degree in computer science (comparable to PhD). He spoke about Java Bytecode Security at Blackhat 2002, since then he also spoke and gave trainings at the major conferences like Blackhat, RSA, CanSecWest, HITB, PacSec, XCon, Confidence , HITB and Java One. In 2011 he first released a book about JVM security, showing defense and attack techniques on Java software and then joined the Oracle Java Vulnerability Team.