Application Security: For Hackers and Developers
Jared DeMott, Crucial Security / Harris Corporation
USA 2011 Weekend Training Session //July 30-31
There are four technical skills required by security researchers, software quality assurance engineers, or developers concerned about security: Source code auditing, fuzzing, reverse engineering, and exploitation. All these skills and more are covered. C/C++ code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for in lectures and labs. Web auditing is covered using WebGoat. Fuzzing is a topic book author DeMott knows about well. Mutation file fuzzing and framework definition construction (Sulley and Peach) are just some of the lecture and lab topics. When it comes to reversing C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Deep usage of this tool is covered in lecture and lab. Exploitation discussions and labs are the exciting final component. You'll enjoy exploiting BSD local programs to Vista browsers using the latest techniques.
Students focus on learning to reverse compiled software written in C and C++, though half- compiled code is mentioned as well. The IDA pro tool is taught and used throughout. Calling conventions, C to assembly, indentifying and creating structures, RTTI reconstruction are covered. Students will also use IDA's more advanced features such as flirt/flare, scripting, and plug-in creation.
Source Code Auditing
Understanding how and when to audit source code is key for both developers and hackers. Students learn to zero in on the important components of each language. Automated tools are mentioned, but auditing source manually is the focus, since verifying results is a required skill even when using the most advanced tools. Spotting and fixing bugs is the focus.
Fuzzing is a runtime method for weeding out bugs in software, with a growing footprint within security companies and research communities. Techniques such as dumb file fuzzing, all the way up to intelligent network protocol fuzzing will be covered. Students will write and use various fuzzers to find bugs.
Students will walk out of this class knowing how to find and exploit bugs in software. This is useful to both developers and hackers. The exploit component will teach each common bug type including: stack overflows, function pointer overwrites, heap overflows, off-by-ones, FSEs, return to libc, integer errors, uninitialized variable attacks, heap spraying, and more. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.
- College Degree in a computer related disciple or equivalent work experience
- Programming (C/C++/.asm) and security experience will help, but you will still get a lot out of the course if you lack that, so no fears. All questions are good questions in my classes. We have a fun but instructive and intense learning experience. You won't walk away disappointed.
- If desired read "Introduction to Application Security" : http://www.vdalabs.com/tools/AppSec_Whitepaper.html
By the end of this course, you will be able to: research and develop an exploit from scratch by auditing code or fuzzing an application, reverse engineering the issue, and developing an exploit for the vulnerability you discovered. This knowledge will help developers produce better code, and will help security researchers or malware analysts in their daily tasks.
What to bring:
- Nearly all the work will be done in XP (you provide) and the BSD image (I provide)
- - Vista is not required but is referenced for the final exercise if you have it
- - If you have Vista/7, you'll be ok for most of the exercises but will have additional pains
- Cygwin (include: vim, make, gcc, perl, python, netcat, ruby, man pages, ndisasm, and whatever else you like)
- VMware workstation/player for Windows or Fusion for the Mac
- Visual Studio (Express is fine if don't have full)
- WinDbg and Immunity Debugger
- Used only for Day 1 homework - FireFox (optional plug-ins: Tamper Headers, Firebug, and Live headers)
What you will get:
The following will be provided on Course DVD, and will be installed in class:
- IDA pro 5.x (I have the 5.5 demo for install on DVD, can also get from hex-rays.com)3
- Python (From Sulley installer. pydbg works with 2.4 by default in this installer)
- Keep at least 1.5GB free HD space to install the course materials and FreeBSD VM
The course material will be provided to you at class check on day 1, normally as a DVD or thumb drive that you keep along with any printed material. As soon as you receive the course material extract4 and test the BSD image. There is a BSD survival guide in the AppSec_A-Z\Exploitation folder with the user and password (and more). All the material you need to do the BSD labs in already in the image so you shouldn't need to transfer any information to the image.
The course material is in 4 directories: SrcAudit, Fuzzing, Reversing, and Exploitation. In each directory you'll find a wealth of knowledge from documents, tools, labs, and lectures. There's so much we won't go over it all, but leave further study as bonus material5 to the student. Harris marked material cannot be directly reproduced or used for profit, but can be shared to internal co-workers within the organization that sponsored your seat in the course, if credit is noted.
There is a feedback from in the base directory that should be filled out on the final day if the conference does not provide a custom form for feedback. Any other comments can be sent directly to the instructor at firstname.lastname@example.org.
- Grey Hat Hacking: The Ethical Hacker's Handbook, 2nd Edition. Harris, Harper, Eagle, and Ness
- Fuzzing for Software Security and Quality Assurance, by Takanen, DeMott, Miller
- The Art of Software Security Assessment, by Mark Dowd, John McDonald, and Justin Schuh
- The IDA Pro Book, by Chris Eagle
Jared DeMott is a Principal Security Researcher for the Crucial Security business area at Harris Corporation and PhD candidate at Michigan State University. Crucial provides state-of-the-art technical engineering and security services to the most elite branches of the Federal Government's law enforcement and intelligence communities, engineering solutions to meet their demanding requirements. Mr. DeMott previously worked for the NSA and currently teaches computer security at university and professionally. He has spoken at security conferences such as Black Hat, Defcon, ToorCon, and Shakacon. This background provides an ideal blend of skills for teaching cutting edge security material, in a fun and instructive manner.
Ends April 30
Ends Jun 15
Ends Jul 29