TRAINING: Basics of Binary Exploitation

Please note that this is an optional training, and not part of the regular conference agenda!

Overview Binary exploitation is the topic concerning the finding and exploitation of vulnerabilities in low-level code, particularly machine level code. It is usually considered one of the more complex areas of IT security and some of the exploits produced sometimes chain together dozens of moving parts in mind-boggling ways to cause programs to behave in a completely unintended manner. The field is the basis of high-severity exploits such as OS privilege escalation, jailbreaks and browser exploits. Learning goals and expected outcomes This one-day training aims to give the participant a deeper understanding of how programs execute and interact with the rest of the system, an understanding of the basic building blocks, terminology and anatomy of binary exploitation as well as hands on experience creating some basics exploits of their own. It will also cover various protection mechanisms, how they work and how to deal with them. After completing the training the student will have a solid foundation from which they can continue exploring the field of binary exploitation and allowing them to start learning advanced topics such as kernel exploitation, different architectures and exploiting real-world software such as browsers and phones. Course contents The course will cover the following topics will be covered in the course. Topics marked with "*" will be covered as part of the introduction/background without accompanying exercises. Topics marked with “**” are advanced topics covered as part of an introduction into how to proceed after the training. Stack based attacks Buffer overflow ROP Stack shifting Format string attacks Heap based attacks Buffer overflow Use-after-free Type confusion General concepts Memory layout* x86 basics* Writing exploits Function pointers (vtables) Automation** (fuzzing, smt) Exploit primitives Arbitrary read (absolute, relative) Arbitrary write (absolutely, relative) Protections Stack canaries NX/DEP ASLR + PIE CFG** PAC** Tools used We will be using mostly free and open source tools throughout the training. Programs will be debugged with gdb with the pwndbg addon. The exercises can be solved with a programming language of your choice but examples will be presented in Python with the pwntools framework. The only commercial tool we will use is Binary Ninja which is a reverse engineering platform. A personal non-commercial license for Binary Ninja is included in the price of the training which you get to keep and can, if desired be upgraded to a commercial license. All tools and exercises will be available as a pre-packaged VM/container. Instructions on how to obtain and get it set up on your computer will be provided to all participants ahead of the training. Prerequisites The student is expected to have basic understanding of computers, programs and operating systems. Some basic programming skills are also required, particularly some basic Python knowledge is very helpful. Finally it is expected that the student can read simple C code and understand very basic concepts of assembler. Appendix A contains some topics and snippets of code that are expected to be understood by the student.

Presented at Security Fest 2019.

Speaker: Calle Svensson

Please note that this is an optional training, and not part of the regular conference agenda!

About Calle Svensson

Calle Svensson

Carl Svensson is a security professional and hobbyist currently working as the head of security at Swedish healthcare startup, Kry. He holds a master’s degree in computer science from the Royal Institute of Technology (KTH) following a life-long interest for computers and IT. He has been working as a security consultant since graduating two years ago. He’s a frequent CTF player, both solo and as a member of HackingForSoju, one of the top ranked CTF teams in the world. This puts him against a wide range of challenges and have helped rapidly expand his knowledge despite only a few years in the security field.

Get all relevant information and news regarding Security Fest, when we release recordings of talks, etc.