Section 1: Laying the Ground Work (with an eye to exploitation)
Slide Deck: "Intro"
Instructor Bios, Course Outline/Schedule, Course Goals
Slide Deck: "Introduction to the ARM Architecture"
Architecture Summary/Layout, Instructions/Registers, Instructions Modes, nuances
Lab: "Basics 1":"GDB"
Use GDB to debug/modify a faulty ARM app, rudimentary code injection.
Lab: "Basics 1B": "IDA"
Use IDA Pro to get familiar with ARM-isms: calling convention, IDA's ARM quirks.
Slide Deck: "Tools and the Lab Environment"
Intro to the QEMU ARM setup, intro to the exercises, intro to custom tools to assist with labs.)
Lab: "Basics 3": "IDA and GDB tag-team"
Use IDA and GDB in tandem to comprehend application flow subvert the app.
Lab: "Basics 4"
Trace through ARM app (dealing with ARM-isms: calling conventions, parameters) to reverse engineer and subvert a blackbox password app with embedded crypto.
Slide Deck: Shellcoding, ELFs, Dynamic Linking
Review of dynamic linking in ELFs. Intro to authoring ARM shellcode.
Lab: "Basics 5": "Shellcoding"
Participants will write their own ARM shellcode FROM SCRATCH and observe it exploit a native ARM process.
Slide Deck: "Stack Overflows"
Basics of Stack Overflows (NOP sleds, bouncepoints, etc). Intro to defensive countermeasures: stack cookies, and subverting with "ROP-lite" return-to-libc. Finding bouncepoints on ARM. Nuances of stack overflows on ARM. The rediculousness of NOP sleds...
Lab: "Simple Stack Overflow"
Find and exploit a stack overflow bug in a vulnerable app. Students modify a "test harness" that both triggers the vulnerabilty and injects the payload. Modification of the harness with apppropriate addresses demonstrates comprehension.
Section 2: Basic to Intermediate Techniques
Slide Deck: "Stack Overflows and Ret2Libc"
Introduce Non executable stack (XN)" and how to subvert it with Return-to-Text or commonly inaccurately referred to as (Return-to-LibC" or as we call it: "ROP Lite". Students get stepped through a vulnerability to see how this works step-by-step. (We come back to the nuances of ROP gadget finding later in the course)
Lab: "Simple Stack Overflow: XN Stack"
Using a "test harness" containing gadgets we give to the student (expecting them to just accept them for now until we come back to go into ROP-gadget finding in more detail later) to find and exploit a XN stack app by returning to mprotect()
Slide Deck: "Advanced Stack Overflows"
Introduction to XN, ASLR, and Stack cookies on on ARM. Discuss and see examples of ways to subvert stack cookies. (overwriting __stack_chk_guard, info disclosure bug, partial/full pointer overwrites, exception-handler overwrites)
Lab: "Advanced Stack XN"
Students exploit network based service that uses XN and Stack Cookies using partial pointer overwrites and ROP-Lite techniques
Slide Deck: "ROP"
Discuss reason for ROP (Code signing, ASLR, cookies). techniques/tools for manually finding gadgets manually on ARM. A walkthrough of useful gadgets found on our target. Structure of Gadgets"Chaining versus non-Chaining gadgets". Some ROP tricks/nuances on ARM.
Lab: "Custom ROP simplified"
Students find and exploit a vulnerable application by building a custom payload by stringing together a bunch of ROP gadgets (found for them by the instructors on the target).
Day 3 & 4: Intermediate to Advanced Techniques
Slide Deck: "Basic Heaps"
Intro to Heap Overflows on ARM: How stuff goes wrong, grooming/feng-shui-ing, etc. examining a toy heap implementation, TCMalloc's thread-cache freelist, and ways we can exploit all of these.
Lab: "Simple Heap Unlink"
Student will exploit a contrived network server, associating "protocol" events with heap events. Students will groom the target and exploit it with provided payload.
Slide Deck: "Application Level Heap Attacks"
Introduce application level exploitation: Techniques for investigating these kinds of vulnerabilities. Exploiting VTable overwrites, partial/full pointer overwrites.
Slide Deck: "Stack Flipping"
Combining concepts introduced earlier (XN, ROP, and heap overflows) students will be introduced and shown how to evade XN by "flipping" the call stack into forged stack frames on the heap. Students will also be introduced to techniques and "gotchas" around finding "pivots" and nuances about ARM that make this more interesting.
Lab: "MultiHeap XN"
Students will use a heapspray or similar technique to overwrite a C++ object to create a fake vtable entry that redirects the stack pointer into the heap...executing their ROP payload to get a shell.
Slide Deck: "Defeating ASLR"
Students will be introduced to ASLR and how it is implemented as well as many of the nuances of how to defeat ASLR (infoleaks, developer debug code, RPC/RMI leaks, predictable ASLR PRNG, uninitialized mem, JIT, etc).
Slide Deck: "Conclusions - Closing"
More detail is available at: http://www.armexploitation.com/
"Makers," Tinkerers, Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.