Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.
Note: If desired, this class can also be taken online. The dates and times are the same as for the physical classes (24-26 October 9:00 am to 5:00 pm CEST), and the registration fee will also stay the same as for in-person attendance. Please note that by default, we expect in-person students: please inform us by 7 October what your preference is (online/physical).
Training type:
Online or in-person
Abstract:
Dual-purpose class: This class teaches developers how to avoid writing implementation flaws, or detect ones that are already in their code...but it also teaches vulnerability-hunters how to find the flaws as well! So it's an epic battle between contentious developers and devious vulnerability hunters! Who will win?! Whoever most takes the lessons of this class to heart!
Over three-dozen CVE writeups!
Training Objectives:
- Learn to recognize the common programming errors that lead to (linear) stack/heap buffer overflows, (non-linear) out-of-bound writes, integer overflows/underflows, and signedness issues (e.g. bypassing sanity checks due to signed comparisons, or integer truncation/extension errors.)
- Learn what options developers have in terms of prevention, detection, and mitigation for each vulnerability type.
- Showing examples of exploitation of a subset of the example vulnerabilities, that might otherwise seem unexploitable.
- A *non-goal* is to teach the student how to exploit the vulnerabilities themselves. That will be covered in a future class. (Therefore this class's applicability stops at "secure development" or "vulnerability auditor", and doesn't extend to "exploitation engineer".)
One-of-a-kind Class Format!
This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. The instructor is then specifically in attendance to answer your questions as soon as you have them! The less other students ask questions, the more this class ends up looking like a 1:1 tutoring session for you!
One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.
Because we give you all the lecture and lab materials and videos before and after class, what you're really paying for is support from the instructor before, during,βand after class! So you'll be entitled to start the class up to a week early and be able to ask up to 20 questions before or after class with quick turnaround. This lets you keep working through the material even if you run out of time at the in-person training.
If you'd instead like to take a custom learning-path class that picks and chooses material from any of the classes that list Xeno as the instructor, you can sign up for the All You Can Learn Buffet class instead.
Training Detailed Agenda:
- Introduction
- Attacker motivations & capabilities
- Stack Buffer Overflows
- Introduction
(Key: π = 0day in the wild, π§βπ« = includes exploit explanation) - Choose-your-own-adventure. Select the examples you're most interested in from:
CVE-2021-21574π§βπ« "BIOS Disconnect",
CVE-2022-0435,
CVE-2020-10005,
CVE-2018-9312,
CVE-2018-9318,
CVE-2021-20294,
CVE-2021-43579,
CVE-N/A-BB#1 - Prevention
- Writing good sanity checks, by example
- Safer C runtime API options
- FORTIFY_SOURCE
- Piecemeal type-safe language usage
- Detection
- FORTIFY_SOURCE
- Manual code auditing guidance
- Commercial static analysis tools
- Fuzzing
- Address Sanitizer
- Mitigation
- Stack Canaries
- Address Space Layout Randomization (ASLR)
- Non-Executable Memory
- Control Flow Integrity (CFI)
- Introduction
- Heap Buffer Overflows
- Introduction
- Choose-your-own-adventure. Select the examples you're most interested in from:
CVE-2020-0917π§βπ«,
CVE-2020-27009 (Part of NAME:WRECK),
CVE-2020-25111 (Part of Amnesia:33),
CVE-2021-21555,
CVE-2019-7287,
CVE-2020-11901 (Part of Ripple20),
CVE-2021-42739,
CVE-2022-25636 - Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Non-linear Out-of-bounds Writes (OOB-W)
- Introduction
- Choose-your-own-adventure. Select the examples you're most interested in from:
CVE-2019-10540π§βπ«,β
CVE-2020-0938π,
CVE-2020-1020π,
CVE-2020-13995,
CVE-2020-27930π,
CVE-2021-26675 "T-BONE",
CVE-2021-28216 - Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Integer Overflows/Underflows
- Introduction
- Choose-your-own-adventure. Select the examples you're most interested in from:
CVE-2020-0796π§βπ« "SMBGhost",β
CVE-2019-5105,
CVE-2019-3568π,
CVE-2019-14192,
CVE-2020-11901 (Part of Ripple20),
CVE-2020-16225,
CVE-2021-30860,
CVE-2020-17443,
CVE-2021-22636 - Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Signedness Issues
- Introduction
- Choose-your-own-adventure. Select the examples you're most interested in from:
CVE-2019-15948π§βπ«,
CVE-2019-14196,
CVE-2019-20561,
CVE-2020-15999π,
CVE-2020-17087π,
CVE-2021-33909 "Sequoia" - Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
- Conclusion
Who Should Attend? | Target Audience:
- Software developers who program primarily in C/C++ (or their managers), who want to learn what kind of vulnerabilities are common throughout such code, and what prevention/detection/mitigation strategies can be employed to secure the code base
- Aspiring vulnerability hunters, code auditors, bug bounty hunters who are at the beginning of their journey into learning how to recognize these vulnerabilities in source code
- People who gain satisfaction from understanding how systems really work at a very deep level.
- People who don't have a lot of free time outside of work, and who thus want to use this time to hunker down and jam through all this material with full instructor support.
What to Bring? | Software and Hardware Requirements:
- Headphones for watching videos, (preferably over-ear so you're not disturbed as the instructor is walking around the class answering individuals' questions).
- Any computer capable of watching online videos.
What to Bring? | Prerequisite Knowledge and Skills:
This class has minimal prerequisites. It just requires that you are comfortable with reading small (< 100 line) C programs.
Resources Provided at the Training | Deliverables:
- Access to all Creative-Commons-licensed slides & Mozilla-licensed lab code
- Access to all Creative-Commons-licensed lecture & lab videos!!!
ABOUT THE TRAINERS
Xeno began leading Windows kernel-mode rootkit detection and defense research projects at MITRE in 2009, before moving into research on BIOS security in 2011. His team's first public talks started appearing in 2013, which led to a flurry of presentations on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore. And after presenting a firmware worm that could spread between Macs via Apple's EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals - everything from 3rd party GPUs to SecureBoot for monitors! He worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture - being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2.
