Pwnd: Applied application security & exploitation
Duration: 3 days

Back to course list Home
Synopsis This course examines application security from a deeply technical perspective. Taking specific vulnerabilities as case studies, we examine both vulnerabilities and their exploits in detail. Special focus is given to code injection attacks. Starting with the basics and some "classic" attacks, we progress over three days to discussing the latest attacks used on the world's leading operating systems and applications.
Target Audience Security researchers, reverse engineers and vulnerability hunters
Prerequisites
  • Solid understanding of C programming required. Familiarity with (any) assembly is recommended, but not required.
Objectives
  • Understand the main vulnerability classes
  • Explain vulnerabilities and methods of exploitation
  • Better detect vulnerabilities by white box (code review) and black box (fuzzing) analysis techniques
  • Obtain terminology fluency and ability to read detailed exploit writeups, the likes of Google Project Zero, or others
Exercises This course is an a 70%/30% mix of theory and practice. Using virtual machines and custom code samples, we simulate real life scenarios of attacking vulnerable applications. Guided exercises demonstrate the myriad tools and techniques employed by hackers. A theory only course can be completed in two (tightly packed) days. Hands on require an additional day.
Modules
1. Introduction & overview
3 hours
Before we get to the actual attacks, we lay down the foundations by describing the methodology and modus operandi. We define the terminology and nomenclature of application security
  • Attack Classes and Severities
    • Scoring Metrics
      • Strategies: Code Review
        • Strategies: Input channel and attack surface determination
          • Fuzzing
            • Reverse engineering patches to find n-day vulnerabilities
              • Resources
                2. Stack-Based Buffer Overflows
                4 hours
                Since their documentation in Phrack #49, stack based buffer overflows have been found and exploited across myriad applications and operating systems. Although fairly easy to detect and thereby far less common, they are yet to be considered obsolete. Stack based buffer overflows are also fairly simple to exploit, and thus make for a soft introduction into aspects of exploitation.
                • Process memory layout - The stack
                  • The basic overflow condition
                    • Shellcode and various generators
                      • "Classic" exploitation
                        • Mitigations (e.g. stack canaries, ASLR, non-executable stack)
                          • Detection
                            • Case Studies: P49-15, custom examples
                              Day 2
                              3. Heap-Based and other overflows
                              3 hours
                              Heap based buffer overflows are not only more prevalent than their stack based counterparts, they are also significantly harder to detect.
                              • Process memory layout - The heap
                                • The basic overflow condition
                                  • Heap allocation strategies (DLMalloc, JEMalloc, etc)
                                    • "Classic" exploitation
                                      • Integer overflows and underflows
                                        • Mitigations (e.g. ASLR, NX, etc)
                                          • Detection
                                            • Case Studies: Adobe PDF overflows (CVE-2019-16451), WhatsApp RTP overflows and/or WebKit browser exploit
                                              4. Counter-Countermeasures
                                              2 hours
                                              By now, we've explored both the common exploitation methods, as well as discussed some countermeasures. If those were fully effective, however, application security would not be such a huge problem. Hackers find clever ways around these countermeasures, which we discuss here:
                                              • ASLR: Memory disclosure
                                                • ASLR: Heap spraying
                                                  • NX: Return-Oriented Programming (ROP)
                                                    • NX: Jump-Oriented Programming (JOP)
                                                      5. Kernel memory corruptions
                                                      3 hours
                                                      The operating system kernel is far more privileged than any user-mode application or process, and is thus a lucrative target for exploitation. Unlike user-mode, however, the attack surface poses more constraints.
                                                      • Kernel attack surface: system calls and traps
                                                        • Kernel "heap" allocations - XNU (MacOS/iOS) zones, Linux slabs and Windows Pools
                                                          • Spraying kernel memory
                                                            Day 3
                                                            6. Use-After-Free (UAF)
                                                            4 hours
                                                            Dynamically allocated memory not only harbors risks of corruption, but of memory management bugs. Just as it is allocated, it must also be carefully tracked and freed when no longer needed. There are times, however, when incorrect reuse of memory can lead to severe vulnerabilities - Exploitation of which is highly idiosyncratic.
                                                            • (Incorrect) Reference Counting
                                                              • The basic condition
                                                                • Exploitation strategies
                                                                  • Detection heuristics
                                                                    • Case Studies: iOS 11.1.2 "async_wake" iOS 12.1 "voucher_swap" exploits, Android Binder (CVE-2019-2215)
                                                                      7. Design flaws, and other miscellaneous bugs
                                                                      3 hours
                                                                      Although bugs detailed so far are the most prevalent and widely exploited, there are cases where more subtle bugs - often due to design flaws or other naive considerations - have far reaching consequences:
                                                                      • Time-of-check-Time-of-use
                                                                        • Shared memory shenanigans
                                                                          • Case Studies: Linux DirtyCOW, (MacOS/iOS) XPC Triple Fetch

                                                                            Frequently Asked Questions