Intro to Modern Binary Exploitation

This four-day training will teach students without prior experience, how to develop exploits for modern binary software, taking them from 1990s style stack buffer overflows through contemporary exploitation of programs protected by NX, ASLR, and stack canaries. We focus on exploiting Linux user mode x86/x64 binaries, but the lessons learned from the class are widely applicable to other platforms and architectures. The course is taught by a an RPISEC alumnus who co-authored the initial development and teaching of the Modern Binary Exploitation course ( https://github.com/rpisec/mbe ), but the material for this course is all new.

Instruction will focus on teaching students how to reason about the fundamental structures that give rise to software vulnerabilities, underlie various exploitation techniques, and drive mitigation development. Students will leave with hands-on experience writing real exploits, and the theoretical knowledge necessary to approach exploiting novel 0-day vulnerabilities and bypassing anti-exploitation mitigations.

Teaching

Course instruction will be conducted primarily through hands-on-keyboard exercises rather than lecturing. The course will use challenges which give students real-time feedback. The entire class will regularly sync up as a group to discuss concepts, problems, and solutions.

Learning Objectives

• Students will learn about vulnerabilities in C code and how to take these vulnerabilities from crash to arbitrary code execution

• Students will gain experience writing software exploits, from 1990s stack buffer overflows to contemporary use-after-frees

• Students will develop and deploy shellcode/ROP payloads for their exploits

• Perhaps most importantly, students will come away from the class with a firm grasp of the fundamental principles that underlie software vulnerabilities and anti-exploitation mitigations. Students will have the skills to reason about how they might go about exploiting new 0-day vulnerabilities, creating effective mitigations against exploitation, and evaluating and bypassing novel mitigations.

Prerequisites

This training is designed to teach exploitation to individuals with little to no prior background in the field, but are expected to have a solid grasp of programming in C or C++, and basic knowledge of the Linux command line. Prior experience with reverse-engineering and/or reversing x86/x64 assembly, and debugging with GDB are nice to have, but definitely not required.

Logistics

Schedule

Course Length: 4 Days
Class Hours: Tuesday - Friday, 8:30am - 6:00pm

Course Location
30 JFK St, Unit Basement, Cambridge, MA 02138

Class Size
18 Students

Facility
Many other course providers, such as those found at security conferences, require students to bring their own equipment and licensed software. Hardware incompatibilities, software incompatibilities, open source substitutes and configuration issues can all burn valuable instruction time.

At BCI, we provide each student with all the necessary equipment for the course in a dedicated 1200 square foot classroom with plenty of room for each student. No preparation or equipment is necessary. All you have to do is show up and learn!

In our classroom, each student is provided:

- 28" 4k monitor
- Desktop computer with 7th generation intel processors
- 16GB RAM
- Ergonomic keyboards and mice
- Windows 10
- Linux (Ubuntu 18.04)
- VMware Workstation
- Licensed copy of IDA Pro

Topics

Class outline

Day 1: Fundamentals

• Program structure
• Disassembly and Debugging with IDA Pro and GDB
• x86 refresher
• Basic bug classes
• Hijacking control flow
• Stack overflows
• The Linux syscall interface

Day 2: Classic Exploitation and Shellcoding

• Stack cookies
• Corrupting application data
• Shellcoding
• Corrupting function pointers
• Arithmetic and integer errors
• DEP
• Ret2libc
• Intro to ROP

Day 3: Modern Mitigations and Techniques

• ASLR
• Heap overflows
• UAF
• Heap grooming
• C++ bug classes and exploitation

Day 4: Putting It All Together

• Combining primitives
• Reasoning about mitigations and bypasses
• Exploitation on other platforms and architectures
• Continuity of execution
• Weird machines

Teaching Methodology

The most important quality that distinguishes BCI from our competitors is our emphasis on teaching. Our approach is heavily influenced by the unparalleled teaching effectiveness of Capture-the-Flag (CTF) exercises. We also use the following principles in our teaching:

1. Environment: Lighting, music, structured breaks. Our experience shows that the environment can improve focus, learning outcomes, attitude, and stamina.

2. Team-based: Our classes are structured to prepare students for what they're going to experience outside of the classroom. Students will work individually, in pairs, and in teams.

3. Hands-on Exercises: 95% of the learning that occurs in our classroom will be due to students applying their skills to do something, not just memorize knowledge to know something.

4. Impossible to cheat: Any solution that meets the requirements is valid. It is our job as the course designers to create real barriers to shortcuts and not just ask students to imagine them. Because the problems are real, the only way to succeed is by finding real solutions.

5. Composability: Students compose the solutions for exercises into larger capabilities for use in later exercises.

6. Immediate Feedback: Every effort is given to design automated validation mechanisms which allow students to know immediately if they have completed their goal or not. An example of this are CTF flags or passwords in crackme’s.

7. Objective Solutions, Subjective Approaches: No one will ever wonder if they have the correct answer, it will be self-evident and objective. How the solution was discovered or implemented is left as a creative exercise. We fully expect students to create solutions we never considered and will encourage them to do so.

8. Variable Pacing: Students move at different paces. We make every effort for students to always have the ability to tackle the next exercise, without having to wait for the rest of the class. Simultaneously, those who need additional time with exercises are given the attention they need to be successful.

9. Peer-teaching: Select student submissions are uploaded to a common repository available to the rest of the class. This allows students to see the myriad of ways other students approach problems.

10. Instructor Feedback/Solutions: Every problem will have a provided solution and for the most important problems, instructors will review student solutions with each student.

11. Narrative: Just as in real development, students will never have to ask: "Why am I doing this"? Exercises will be motivated by real-world scenarios, be referentially consistent, and build toward larger goals.

12. Realism: Our curriculum is influenced by current events and relevant case-studies from years past. The emphasis is always on realism either through representative examples or, when appropriate, exact copies of malware.

13. Minimal Lecture: As instructors, our goal is to never be the bottleneck for students’ growth. Whenever we address the class as a whole, it is because they are facing problems as a group and would find it useful to hear us speak.

14. Calibrated Difficulty: Exercises are designed and sequenced to challenge students appropriately without overwhelming them. There are times we use frustration as a teaching tool, but always do so deliberately.

15. Case Studies: Implant/malware development has been around for decades now. We draw from this rich history and use case-studies to illustrate what has succeeded or failed, and why. We use publicly available information about the end-to-end operations and use it to contextualize the technical lessons in the classroom.

Instructors

Jeremy Blackthorne is co-founder and lead instructor of the Boston Cybernetics Institute (BCI). He is a former researcher at MIT Lincoln Laboratory in the Cyber System Assessments group. There his research focused on building and breaking cybersecurity solutions for the military. He also created and delivered training in reverse-engineering and exploitation to technical specialists and management personnel from the Air Force, Navy, and Special Operations communities. He is the co-creator and instructor of the MIT IAP 2016 Software Reverse-Engineering course [1]. He is also the co-creator and instructor of the Rensselaer Polytechnic Institute (RPI) courses: Modern Binary Exploitation, Spring 2015 [2] and Malware Analysis, Spring 2013 [3]. Blackthorne was an active member of the student security club and CTF team, RPISEC, from 2012 to 2015, where he taught seminars on reverse-engineering, exploitation, and various other cybersecurity topics. He served in the U.S. Marine Corps from 2002 to 2006 and completed three tours in Iraq. He has a BS in computer science from the University of Michigan-Dearborn and an MS in computer science from RPI. He is currently a PhD candidate in computer science at RPI focusing on anti-analysis techniques in computer programs.

Evan Jensen is co-founder and CTO of BCI, where he splits his time between performing assessments and creating solutions for clients and teaching. He is an experienced instructor in reverse-engineering and exploitation. Evan has taught reverse-engineering at BU, RPI, NYU, MIT, the United States Military Academy at West Point and MIT Lincoln Laboratory. Before founding BCI, Evan worked for MIT Lincoln Laboratory’s Cyber System Assessments Group and Facebook’s redteam. He was an instructor for NYU's weekly Hack Night from 2011 to 2014, covering reverse-engineering, exploitation, and various other cybersecurity topics [4]. He developed nearly all of the lessons for Trail of Bits' CTF Field Guide, covering vulnerability discovery, exploitation, forensics, and operational tradecraft [5]. Jensen was heavily involved in teaching cybersecurity in the NYU Polytechnic community. He was co-instructor with Dan Guido for the course Penetration Testing and Vulnerability Analysis during Fall 2012 and Fall 2013 [6], and was a teaching assistant for Neil Daswani for the course Application Security during Spring 2013 [7]. Passionate about enabling others to learn via the medium of repeated failure, he was CTF captain of Brooklynt_Overflow from 2012 to 2014 and founding member/captain of Lab RATs from 2014 to 2016 which placed 10th in Defcon finals in 2017. He has a BS in computer science from NYU Tandon School of Engineering.

References

[1] J. Blackthorne, P. Hulin, and T. Leek, “January 2016 MIT IAP Courses,” 2016. [Online]. Available: https://beaverworks.ll.mit.edu/CMS/bw/iap. [Accessed: 04-Mar-2018].
[2] P. Biernat et al., “Modern Binary Exploitation - CSCI 4968,” 2015. [Online]. Available: ttps://github.com/RPISEC/MBE. [Accessed: 02-Apr-2018].
[3] J. Blackthorne and B. Yener, “CSCI 4972/6963 Malware Analysis,” 2013. [Online]. Available: http://security.cs.rpi.edu/courses/malware-spring2013/. [Accessed: 04-Mar-2018].
[4] “NYU Tandon’s OSIRIS Lab’s Hack Night.” [Online]. Available: https://github.com/isislab/Hack-Night. [Accessed: 02-Apr-2018].
[5] A. Ruef et al., “CTF Field Guide.” [Online]. Available: https://trailofbits.github.io/ctf/. [Accessed: 04-Mar-2018].
[6] E. Jensen and D. Guido, “CS 6573 Penetration Testing and Vulnerability Analysis.” [Online]. Available: http://bulletin.engineering.nyu.edu/preview_course_nopop.phpcatoid=5&coid=14223. [Accessed: 04-Mar-2018].
[7] N. Daswani, “CS-GY 9163 Application Security,” 2014. [Online]. Available: http://bulletin.engineering.nyu.edu/preview_course_nopop.phpcatoid=9&coid=23997. [Accessed: 04-Mar-2018].