Fish Wang & Yan Shoshitaishvili Customizable Static Vulnerability Discovery Using angr’s Lesser Known Capabilities $1,800 ($1,600 early)

Trainer Bio's:

Fish: Fish Wang is an Assistant Professor at Arizona State University. He is extremely interested in demystifying all sorts of binary code, and his main research interests are software vulnerability discovery, automated exploit generation, and binary decompilation. Fish is a co-founder and a core maintainer of angr.

Yan: Yan Shoshitaishvili is an Associate Professor at Arizona State University, where he pursues parallel passions of cybersecurity research, real-world impact, and education. His research focuses on automated program analysis and vulnerability detection techniques. Aside from publishing dozens of research papers in top academic venues, Yan led Shellphish’s participation in the DARPA Cyber Grand Challenge, achieving the creation of a fully autonomous hacking system that won third place in the competition.

Underpinning much of his research is angr, the open-source program analysis framework created by Yan and his collaborators. This framework has powered hundreds of research papers, helped find thousands of security bugs, and continues to be used in research labs and companies around the world.

When he is not doing research, Yan participates in the enthusiast and educational cybersecurity communities. He is a Captain Emeritus of Shellphish, one of the oldest ethical hacking groups in the world, and a founder of the Order of the Overflow, with whom he ran DEF CON CTF, the “world championship” of cybersecurity competitions, from 2018 through 2021. Now, he helps demystify the hacking scene as a co-host of the CTF RadiOOO podcast and forge connections between the government and the hacking community through his participation on CISA’s Technical Advisory Council. In order to inspire students to pursue cybersecurity (and, ultimately, compete at DEF CON!), Yan created pwn.college, an open practice-makes-perfect learning platform that is revolutionizing cybersecurity education for aspiring hackers around the world.

Matt: Matt is passionate about building intuitive systems to solve real problems. He is an Arizona State University alum, with a history in low-level system software/firmware development, program analysis, full-system emulation, graphics, audio, networking, and beyond. Matt contributes both professionally and as a personal interest to multiple open source projects, and is driven to deliver solutions to advance the state of the art in program analysis.

Audrey: Audrey is a PhD student at Arizona State university. She loves reverse engineering, fruit, Celeste (2018), Python, Rust, and symbolic execution.

Full description of the training:

One of the most badass skills a hacker can possess is the ability to find and exploit vulnerabilities in binary software. This is enabled by a long history of complex tools: OllyDBG, SoftICE, IDA Pro, Binary Ninja, Ghidra, and now: angr. Built using cutting-edge techniques straight out of research labs around the world, angr enables analysts to swiftly carry out advanced reasoning over software to understand complex code and find the juicy hidden vulnerabilities within.

While angr is arguably one of the most user-friendly binary analysis frameworks available on the market, it is never an easy task to use it to its full potential, especially when facing less-common architectures (such as PowerPC), niche operating environments (bare-metal binaries or embedded architectures), or unique tasks (e.g., binary code optimization, exploit generation, efficient vulnerability discovery, etc.). To assist users, especially medium-level and professional reverse engineers to effectively and efficiently use angr in their daily work, we designed this four-day course focusing on the use of non-trivial capabilities that angr offers, especially the advanced static analysis capabilities that angr recently developed.

This course will focus on Linux userspace binaries (x86-64 and ARM) and binaries in firmware images (ARM and MIPS). After completing this course, students will master practical angr skills that will help them reverse engineer userspace binary programs, assess them for defects and vulnerabilities, and verifying many of these vulnerabilities. Specifically, this course will cover the following topics: Customizing angr’s control-flow recovery, performing intra- and inter-function reaching definition analysis, building customized data-flow analysis on custom analysis domains, and using building blocks that angr provides to build static data-flow analyses for scalable vulnerability discovery.

This course is extremely practical and hands-on: Core angr developers will guide students to solve over twenty specially crafted problems (many of which are based on real-world firmware services) with angr. We provide all problems in a specially designed course platform used by online education courses such as Pwn College, which provides a full development and analysis environment through a web browser and remotely-accessible virtual machines hosting practice problems that students can tackle without having to configure anything locally. Our course platform allows students to share screens and lecturers to remotely assist, which makes this course suitable for both in-person and virtual attendees.


Short description of what the student will know how to do, after completing the class:

- Build angr analyses to semi-automatically find common types of vulnerabilities (memory corruption, format string, command injection, etc.) in binaries (of multiple architectures) with the help of angr.
- Implement extensions and integrated analyses on top of angr's different capabilities.

Outline of the class:

* Each item marked with “with challenges” will be accompanied with at least one challenge problem. Reference solutions and one-on-one guidance will be offered when students are working on challenges.
* We will also provide optional challenge problems for students to work on (once they finish the required ones).
* Lectures vs challenges: Each advanced topic involves one or two lectures and a series of challenges that follow. Each lecture will take 20 to 40 minutes, and then we will ask all participants to work on challenges that we give them. When participants are working on challenges, all speakers will provide individual guidance (this is a major limiting factor for the scale of this training – there are only four of us).

Day 1/AM: Introduction
- Brief introduction to angr
  - Command line interface
  - Scripting
  - Using angr management (the GUI)
  - Scripting through the GUI (with challenges)
- Conducting basic static analyses
  - CFG recovery (with challenges)
  - Customizing the CFG (with challenges)
  - Reaching definition analysis (RDA) (with challenges)
  - Decompilation (with challenges)

Day 1/PM: Semi-automated bug hunting using data-flow analysis
- Brief introduction to data-flow analysis
- Spotting vulnerability sources and sinks (with challenges)
- Data-flow analysis and emulation
  - Data-flow equations
  - Analysis domains
  - Fixed points
  - Undecidability
- Using intra-function RDA to track data flows (with challenges)
- Using inter-function RDA to track data flows (with challenges)

Day 2/AM: Semi-automated bug hunting using data-flow analysis
- Finding taint-style vulnerabilities using vulnerability sources, sinks, CFG slicing, and inter-function RDA (with multiple challenges)

Day 2/PM: Hands-on Experience: 0-Day vulnerability discovery on real-world binaries
- We will provide a few binaries built from open-source projects, as well as a few binaries in IoT devices. Students will use scripts they built to find vulnerabilities and hopefully, 0-days.
- We will provide one-on-one guidance when students are building their final vulnerability discovery script, and have short discussion sessions.

Technical difficulty of the class (Beginner, Intermediate, Advanced):

Beginner/Intermediate

Suggested prerequisites for the class:

We would recommend a knowledge of x86 assembly and basic reverse engineering skills. We would also recommend students to familiarize themselves with Python 3 programming. Finally, we would recommend students to obtain some basic understanding of angr from reading online materials or working on angr-CTF on GitHub.

Note that this is not an entry-level binary reverse engineering course. We do not recommend this course to students who have never attempted binary reverse engineering in the past.

Items students will need to provide:

Just a laptop with a web browser. We will provide the rest.

 

DATE: August 12th-13th, 2024

TIME: 8am to 5pm PDT

VENUE: Sahara Las Vegas

TRAINER: Fish Wang & Yan Shoshitaishvili

- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included

Registration terms and conditions:

Trainings are refundable before July 1st, the processing fee is $250.

Trainings are non-refundable after July 10th, 2024.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.