HACKER DOUBLE SUMMER 2022 GUIDES — Part Seven: Back2Vegas by RingZero

Welcome to the DCG 201 guide to Hacker Double Summer! This is part of a series where we are going to cover all the various hacker conventions and shenanigans at the start of July to the end of August both In Person & Digital! 2022 is a GIGANTIC year for hacker hysteria with so many events this will break the most guides we have ever written with the lucky number 13 as the goal. As more blog posts are uploaded, you will be able to jump through the guide via these links:

HACKER DOUBLE SUMMER — Part One: Surviving Las Vegas, New York & Virtually Anywhere

HACKER DOUBLE SUMMER — Part Two: Capture The Flags & MLH INIT Hackathon

HACKER DOUBLE SUMMER — Part Three: SummerC0n

HACKER DOUBLE SUMMER — Part Four: ToorCamp

HACKER DOUBLE SUMMER — Part Five: A New HOPE (HACKERS ON PLANET EARTH)

HACKER DOUBLE SUMMER — Part Six: SCaLE 19X

HACKER DOUBLE SUMMER — Part Seven: Back2Vegas by RingZero

HACKER DOUBLE SUMMER — Part Eight: BSides Las Vegas

HACKER DOUBLE SUMMER — Part Nine: Black Hat USA

HACKER DOUBLE SUMMER — Part Ten: The Diana Initiative

HACKER DOUBLE SUMMER — Part Eleven: USENIX + SOUPS

HACKER DOUBLE SUMMER — Part Twelve: DEFCON 30

HACKER DOUBLE SUMMER — Part Thirteen: Wiki World’s Fair

HACKER DOUBLE SUMMER — Part Fourteen: Blue Team Con

HACKER DOUBLE SUMMER — Part Fifteen: SIGS, EVENTS & PARTIES IN LAS VEGAS

Back2Vegas by RingZero

Date & Time:

In-Person: Saturday, August 6th — Tuesday, August 9th

Virtual: Monday: August 15th — Saturday, August 20th

Location: Park MGM Las Vegas (3770 S Las Vegas Blvd, Las Vegas, NV 89109, United States)

Website: https://ringzer0.training/

Tickets: https://ringzer0.training/#buy-tickets

Virtual Platform(s): NA

Schedule: https://ringzer0.training/index.html#instructors

Live Streams:

YouTube: NA

Virtual Chat: NA

Affordability: ringzer0 does their Virtual and In-Person ticket sales in tiers depending on how close to the confrence the ticket date is purchased. As of July 19th there is a two day training of $2,700 for 2-Day and $4,600 for 4-Day. This will increase to $2,900 to $4,700 respectively. Virtual is now fixed at $2,300 to $4,200 respectively. There will also be a number of FREE Trainings provided Virtually.

Code Of Conduct: https://www.socallinuxexpo.org/scale/19x/schedule

After two years of virtual mode, Ringzer0 returns BACK2VEGAS! Meet your instructors FACE2FACE in one of our in-person trainings, or opt to stay behind the screen by signing up for one of our virtual trainings.

Ringzer0 provides advanced, hands-on training designed for cybersecurity professionals. Our instructors are top industry experts who offer technical deep dives into a range of core issues, including vulnerability research, exploitation, malware analysis, red teaming and practical attacks.

Each class is laser-focused on a specific topic, to pack in as much learning, hands-on experience and instructor face time as possible. Ringzer0 gets students past the learning curve in just four days of in-person hands-on training, from August 6th till August 9th. Or opt for one of our virtual trainings: 16 or 32 hour advanced course, running from August 15th till August 20th. The virtual trainings work with a live instructor-led and self-paced learning format to fit individual schedules and avoid screen fatigue and “Zoom burnout”.

GROUP AND COMBO REGISTRATIONS DEALS

Organisations registering two or more participants for any of BACK2VEGAS trainings OR students taking back to back combos shall avail a discount of USD 200 PER TRAINING.

The registration system shall automatically apply the discounts when a group or a combo registration is made.

U.S. GOVERNMENT REGISTRATIONS

Please email us at info@ringzero.training and request our CAGE code.

PRICE QUOTES AND BANK TRANSFERS

Please email us at info@ringzero.training requesting price quote and bank transfer information.

CANCELLATION POLICY:

BACK2VEGAS: 60+ days before the event 75% of fees refunded; 45–60 days before event 50% refunded, less than 45 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.

Note: In the event of a class cancellation Ringzer0 will endeavor to offer transfer to another training at no additional charge.

COVID-19 PROTOCOLS

Effective Feb. 10, 2022, the State of Nevada has lifted mask mandates, including in resorts and casinos, restaurants, bars, showrooms and meeting spaces. Masks are still recommended for individuals who are not fully vaccinated, those with underlying health conditions and in healthcare facilities.

Masks are still required on all public transportation and transportation hubs per CDC guidance.

Please check the Visit Las Vegas official website for updates on Nevada State and county requirement changes.

BACK2VEGAS VENUE

RingZer0 Training - Main

Park MGM, Las Vegas

Discounted Rooms starting at

$49/night*

The discounted rates apply all the way through DEFCON weekend!

DCG 201 Back2Vegas by ringzer0 COURSE HIGHLIGHTS

These are some of the multi-day course training that stood out to us. Space is limited and this is not the full list so RSVP ASAP and look at the full list of training on their website: https://ringzer0.training/index.html#about

FREE VIRTUAL TRAININGS

Security Automation For Electron Apps

Introduction to V8 JavaScript Engine Grammar-based Fuzzing

Hands-on binary deobfuscation — From symbolic execution to program synthesis

Initiation to Car Hacking: Discovering the CAN bus

Bypassing security perimeters via vulnerable devices

SCAPY, from S to Y!

A journey into malicious code tradecraft for Windows

Hands-on Reversing with Ghidra

WORKSHOP // Hands-on Reversing with Ghidra // Jeremy Blackthorne

Debugging with EMUX

IN-PERSON WORKSHOPS — AUGUST 6th-9th

The ARM IoT Exploit Laboratory

4-Day Training

The world of ARM IoT devices is growing rapidly. Routers, IP cameras, Network video recorders, VoIP systems and several other “smart” appliances are now running on ARM SoCs. While the hardware is the latest and greatest, the software running on it is a different story.

The ARM IoT Exploit Laboratory is a brand new class. This class takes a closer look at the hardware and the firmware running on it. Students shall learn how to analyse, emulate and exploit the firmware on a variety of ARM IoT devices. The class starts with extracting the firmware directly from the devices, moves on to creating an emulated test environment for fuzzing and debugging, and writing end to end exploits for the devices. The class shall feature an array of hardware targets of varying complexity. Students shall have ample time for hands on exercises to sharpen their exploitation skills.

• A quick introduction to ARM architecture and assembly.
• An introduction to ARM IoT devices.
• Under the hood — circuit boards, pins, interfaces and flash chips.
• Firmware Extraction via UART.
• Firmware Extraction directly from flash memory.
• Introducing the EMUX Firmware Emulation Framework.
• How to emulate an IoT device in EMUX.
• Exploiting vulnerabilities in the IoT device.
• Bypassing exploit mitigation technologies — DEP and ASLR.
• Practical ARM ROP chains.
• Customised ARM shellcode.
• Overcoming limitations — payload size, bad characters, encodings.
• A deeper look into firmware emulation — emulating nvram, patching factory defaults.
• Working around missing emulated hardware — tracing binaries, patching libraries.
• Exercises, exercises and more exercises
• The Lab environment is a mixture of physical ARM hardware and EMUX Docker images.

Pre-class Tutorials

The following tutorials have been specially prepared to get students up to speed on essential concepts before coming to class.

• Operating Systems — A Primer https://www.slideshare.net/saumilshah/operating-systems-a-primer
• How Functions Work https://www.slideshare.net/saumilshah/how-functions-work-7776073
• Introduction to Debuggers https://www.slideshare.net/saumilshah/introduction-to-debuggers

Hardware Requirements

• A working laptop (no Netbooks, no Tablets, no iPads)
• Intel Core i3 (equivalent or superior) required
• 8GB RAM required, at a minimum
• Wireless network card
• 40 GB free Hard disk space

Software Requirements

• Linux / Windows / Mac OS X desktop operating systems
• Docker installed and working
• Command line git client installed and working
• Administrator / root access MANDATORY

Students will be provided with

Students will be provided with all the lab images used in the class. Students will also be provided with the fully loaded version of EMUX which is not available publicly.

The ARM IoT Exploit Laboratory uses a “Live Notes” system that provides a running transcript of the instructor’s system to all the students. Our lab environment, plus about 800MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.

Saumil Shah

SAUMIL SHAH IS THE FOUNDER AND CEO OF NET-SQUARE, PROVIDING CUTTING EDGE INFORMATION SECURITY SERVICES TO CLIENTS AROUND THE GLOBE. SAUMIL IS AN INTERNATIONALLY RECOGNISED SPEAKER AND INSTRUCTOR, HAVING REGULARLY PRESENTED AT CONFERENCES LIKE BLACKHAT, RSA, CANSECWEST, PACSEC, EUSECWEST, HACK.LU, HACK-IN-THE-BOX AND OTHERS. HE HAS AUTHORED TWO BOOKS TITLED “WEB HACKING: ATTACKS AND DEFENSE” AND “THE ANTI-VIRUS BOOK”.

SAUMIL GRADUATED WITH AN M.S. IN COMPUTER SCIENCE FROM PURDUE UNIVERSITY, USA AND A B.E. IN COMPUTER ENGINEERING FROM GUJARAT UNIVERSITY. HE SPENDS HIS LEISURE TIME BREAKING SOFTWARE, FLYING KITES, TRAVELING AROUND THE WORLD AND TAKING PICTURES.

Machine Learning for Program Analysis

4-Day Training

Abstract

This course features a practical hands-on approach to automated program analysis using machine learning. Given the increasing pervasiveness of IoT devices and malware, there is a great need to perform automated reverse engineering at scale, especially since reverse engineering software and firmware can often be a manual, labor-intensive, and time-intensive process. This class is perfectly suited for students who are new to machine learning and want to leverage it to automate their program analysis and reverse engineering efforts.

This class kicks off with performing advanced program analysis to automatically identify shared code relationships between applications using different binary features, compute code sharing similarity over a data set to determine binary groupings, and then determine a new binary’s similarity to previously seen samples based on code sharing patterns. We will also cover intermediate representations of binaries and how they can be used for advanced program analysis.

Next, we will introduce machine learning concepts and their applications to automated reverse engineering. We will first use unsupervised machine learning algorithms to find data patterns and features which can be useful for categorization. Then we will develop supervised machine learning models to classify binaries and make certain predictions about them. Lastly, we will apply deep learning to automate program analysis by building and evaluating neural networks. Throughout the class, labs will be conducted in a virtual environment. Students will leave the course with the necessary hands-on experience, knowledge, and confidence to conduct automated program analysis at scale using machine learning.

• Performing Shared Code Analysis
• Leveraging intermediate representations for advanced program analysis
• Introduction to Machine Learning
• Exploring Unsupervised ML algorithms
• Developing Supervised ML models
• Building Neural Networks
• Evaluating and measuring the effectiveness of ML systems

Pre-requisites

• Knowledge of Python 3 programming
• Knowledge of computer architecture concepts
• Knowledge of an assembly language (e.g., x86/x64, ARM, etc.)
• Familiarity with navigating Linux environments and command line knowledge

Hardware Requirements

• A working laptop or desktop (no Netbooks, no Tablets, no iPads)
• Intel Core i3 (equivalent or superior) required
• 8GB RAM required, at a minimum
• 10 GB free hard disk space, at a minimum

Software Requirements

The following software needs to be installed on each student laptop prior to the workshop:

• Linux / Windows / Mac OS X desktop operating systems
• VMware Workstation or Fusion. The free 30-day trial is sufficient and can be downloaded here: https://www.vmware.com/try-vmware.html
• Administrator / root access MANDATORY

Students will be provided with

Students will be provided with access to course slides, sample code, and lab exercises which attendees can keep to continue their learning and practicing after the training ends.

Hahna Kane Latonick

FOR THE PAST 15 YEARS OF HER ENGINEERING CAREER, HAHNA KANE LATONICK HAS WORKED THROUGHOUT THE DEFENSE INDUSTRY SPECIALIZING IN CYBERSECURITY AS A SECURITY RESEARCHER FOR THE DEPARTMENT OF DEFENSE AND OTHER DEFENSE CONTRACTING COMPANIES. SHE HAS BEEN FEATURED AS A CYBERSECURITY SUBJECT MATTER EXPERT ON FOX BUSINESS NEWS, ABC, U.S. NEWS AND WORLD REPORT, AND OTHER NATIONAL MEDIA OUTLETS. SHE HAS LED THREE TECH STARTUPS, SERVING AS CTO OF TWO OF THEM AND DIRECTOR OF R&D. SHE HAS TRAINED AND DEVELOPED SECURITY RESEARCHERS AT ONE OF THE TOP FIVE AEROSPACE AND DEFENSE INDUSTRY COMPANIES. OVER THE YEARS, SHE HAS ALSO TAUGHT AT DIFFERENT CONFERENCES, SUCH AS RINGZER0 AND SECURITY BSIDES ORLANDO. IN 2014, SHE BECAME A DEFCON CTF FINALIST, PLACING IN 6TH AND RANKING IN THE TOP 1.5% OF ETHICAL HACKERS WORLDWIDE. SHE ALSO HOLDS A CISSP AND CEH CERTIFICATION. LATONICK ATTENDED SWARTHMORE COLLEGE AND DREXEL UNIVERSITY WHERE SHE EARNED HER B.S. AND M.S. IN COMPUTER ENGINEERING ALONG WITH A MATHEMATICS MINOR.

TEEPwn: Breaking Trusted Execution Environment

4-Day Training

Abstract

Trusted Execution Environments (TEEs) are notoriously hard to secure due to the interaction between complex hardware and a large trusted code bases (TCBs). The security provided by TEEs has been broken on a wide variety of devices, including mobile phones, smart TVs and even vehicles. Publicly disclosed TEE vulnerabilities were often exploited directly from the less-trusted Rich Execution Environment (REE). Many of these vulnerabilities were specific for TEEs and required novel exploitation techniques.

The TEEPwn experience provides an offensive system-level perspective and dives into the darker corners of TEE Security. It is designed with a system-level approach, where you will experience powerful exploitation of TEE vulnerabilities. The TEEPwn experience is hands-on, gamified and driven by an exciting jeopardy-style Capture the Flag (CTF).

Your journey starts by achieving a comprehensive understanding of TEEs, where you will learn how hardware and software concur to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will then be challenged along the path to exploit them in multiple scenarios.

All vulnerabilities are identified and exploited on our emulated attack platform, implementing a 64- bit TEEs based on ARM TrustZone.

You will take on different roles, as an attacker in control of:

• the REE, attempting to achieve privileged code execution in the TEE.
• the REE, trying to access assess protected by a Trusted Application (TA).
• a TA, aiming to escalate privileges to TEE OS.
• a TA, accessing the protected assets of other TAs.

TEEPwn will guide you into an unexpected range of attack vectors and TEE-specific exploitation techniques, which may be leveraged for novel and creative software exploits, refining your skills to a new level.

• Explore TEE security at the system level
• Gain strong understanding of TrustZone-based TEEs
• Identify vulnerabilities across the entire TEE attack surface
• Experience TEE-specific exploitation techniques

Student Prerequisites

• Experience with C/C++ programming
• Experience with the ARM architecture (AArch64)
• Understanding of typical software vulnerabilities
• Familiarity with reverse engineering and typical exploitation techniques
• Familiarity with modern OS security concepts

System requirements

• Any modern computer system with sufficient memory
• We advise to install and use the Chrome browser
• A stable Internet connection with sufficient bandwidth

Student Deliverables

During the training you will get access to:

• a personal cloud based VM
• the exercise registry
• the exercise instructions
• the CTF server

To continue practicing after the training is completed:

• a personal offline VM
• a temporary token to access the exercise registry
• for downloading all training exercises in the offline VM
• a copy of the exercise instructions

Cristofaro Mune

CRISTOFARO MUNE @PULSOID HAS BEEN IN THE SECURITY FIELD FOR 15+ YEARS. HE HAS 10 YEARS OF EXPERIENCE WITH EVALUATING SW AND HW SECURITY OF SECURE PRODUCTS, AS WELL AS MORE THAN 5 YEARS OF EXPERIENCE IN TESTING AND ASSESSING THE SECURITY OF TEES.

HE IS A SECURITY RESEARCHER AT RAELIZE PROVIDING SUPPORT FOR DEVELOPING, ANALYZING AND TESTING THE SECURITY OF EMBEDDED DEVICES. HE HAS CONTRIBUTED TO DEVELOPMENT OF TEE SECURITY EVALUATION METHODOLOGIES AND HAS BEEN MEMBER OF TEE SECURITY INDUSTRY GROUPS.

HIS RESEARCH ON FAULT INJECTION, TEES, WHITE-BOX CRYPTOGRAPHY, IOT EXPLOITATION AND MOBILE SECURITY HAS BEEN PRESENTED AT RENOWNED INTERNATIONAL CONFERENCES AND IN ACADEMIC PAPERS.

Niek Timmers

NIEK TIMMERS @TIEKNIMMERS IS A SECURITY RESEARCHER AT RAELIZE PROVIDING SUPPORT FOR DEVELOPING, ANALYZING AND TESTING THE SECURITY OF EMBEDDED DEVICES. HE HAS BEEN ANALYZING AND TESTING THE SECURITY OF DEVICES FOR OVER A DECADE. USUALLY HIS INTEREST IS SPARKED BY TECHNOLOGIES WHERE THE HARDWARE IS FUNDAMENTALLY PRESENT. HE SHARED HIS RESEARCH ON TOPICS LIKE SECURE BOOT AND FAULT INJECTION AT VARIOUS CONFERENCES LIKE BLACK HAT, BLUEHAT, HITB, HARDWEAR.IO. AND NULLCON.

Windows Malware Implants: OPSEC, Evasion and Anti-Reversing Techniques

4-Day Training

Class Details

The course will present an in-depth description of the techniques implemented in modern malware to evade defenders and security products (such as AV, IPS, IDS, EDR), and how attackers design and operate their implants in order to ensure a prompt redeployment after a detection or a public disclosure by researchers or security vendors.

The course will also cover real-world scenarios that impair (effectively slow-down or dissuade) reverse engineering efforts and make the job of first responders tougher. The techniques will be demonstrated in two ways: first, by reversing real malware samples, and then by re-implementing an improved version of the malware code. The training is designed from an attacker’s point of view, teaching red-teams how to make their implants stealthier, but it will also teach defenders how to deal with the anti-reversing and the OPSEC techniques demonstrated in class.

The course focuses primarily on Windows malware and on the analysis, tweaking and re-purposing of real malware samples. Participants will be provided with plenty of custom code to facilitate the understanding of complex malware techniques.

As part of the course, theory sessions will be followed by exercises where participants will reverse and re-implement specific parts of real malware in order to fully understand the hidden corners of all the techniques involved. The 50% of the course will be dedicated to hands-on labs that will show how to translate the theory principles into practice.

Labs are designed to provide flexibility in terms of complexity and include bonus tracks to ensure that you always feel engaged and have something interesting to explore and learn.

To develop and test the techniques described during the theory sessions, students will be provided with the source-code of our training agent and its corresponding C2.

• Be able to recognize, implement and deal with stealthy malware/backdoors techniques and tradecrafts.
• Be able to modify malware components and pre/post build tools to protect them against reversing efforts.
• Familiarize with the latest advances in code and DLL injection techniques and customize reflective loader.
• Be able to build custom obfuscators and to recognize some pattern left by some obfuscation transforms.
• Learn tradecrafts used by attackers to prevent and effectively impair defensive incident responders from analyzing their tools, payloads, and backdoors.

Prerequisites

• Programming experience (C, C++, Python, .NET, and PowerShell)
• Be familiar with assembly language and Debuggers (IDA pro, WinDBG)

Hardware/Software requirements

Laptop Requirements:

• Virtualization capable CPU(s)
• Minimum 8GB of RAM (for running one guest VM)
• Minimum 80 GB free disk space

Software Requirements:

• Host OS Windows 10 64-bit
• Debugging Tools for Windows (Ida Pro, WinDBG). Decompiler recommended.
• SysInternals Tools
• Virtualization Software (VMWare, VirtualBox)
• Guest OS Windows 10 64-bit Version 20H2
• System Administrator access required on both host and guest OSs

Silvio La Porta

DR. SILVIO LA PORTA IS A SENIOR CYBER SECURITY ARCHITECT DESIGNING SECURITY PRODUCTS AND RESEARCHING ADVANCED DETECTION TECHNOLOGY FOR COMPLEX MALWARE/APT. SILVIO PREVIOUSLY WAS A LEAD RESEARCH SCIENTIST WITH EMC RESEARCH EUROPE BASED IN THE CENTRE OF EXCELLENCE IN CORK, IRELAND. HIS PRIMARY RESEARCH FOCUS AREAS WERE REAL-TIME NETWORK MONITORING AND DATA ANALYSIS IN SMART GRIDS TO DETECT MALWARE ACTIVITY IN SCADA SYSTEMS AND CORPORATE NETWORKS. HE WAS ALSO LEADING SECURITY SERVICE LEVEL AGREEMENT (SEC-SLA) AND END USER SECURITY/PRIVACY PROTECTED DATA STORE PROJECTS FOR HYBRID CLOUD ENVIRONMENTS. HE IS A FREQUENT SPEAKER IN PROFESSIONAL AND INDUSTRY CONFERENCES. BEFORE JOINING EMC, SILVIO WORKED AS A MALWARE REVERSE ENGINEER IN SYMANTEC’S SECURITY RESPONSE TEAM IN DUBLIN, IRELAND. SILVIO HOLDS A PHD IN COMPUTER NETWORK SECURITY FROM THE UNIVERSITY OF PISA, ITALY.

Antonio Villani

DR. ANTONIO VILLANI SPENT THE PAST YEARS ANALYZING HIGH LEVEL IMPLANTS FOR TOP TIER CUSTOMERS, PROVIDING DETAILED IMPLEMENTATION INFORMATION TO SUPPORT CYBER-DEFENSE AND CYBER THREAT INTELLIGENCE TEAMS. NOW, HE USES HIS EXPERIENCE IN THE REVERSE-ENGINEERING OF MULTI-STAGE IMPLANTS TO IMPROVE DETECTION AND RESPONSE CAPABILITIES OF ENDPOINT SECURITY PRODUCTS. AS A RESEARCHER HE PUBLISHED IN TOP TIER CONFERENCES AND JOURNALS AND HE PARTICIPATED IN EUROPEAN RESEARCH PROJECTS IN THE FIELD OF CYBER RESILIENCE AND DATA SECURITY. DURING ITS PHD HE ALSO WORKED IN THE FIELD OF MALWARE RESEARCH AND DIGITAL FORENSICS.

Quarkslab: Hands On Binary Fuzzing and Reverse Engineering

4-Day Training

Class Details

Fuzzing as a methodology has been an area of interest for generations of security researchers and has proved to be a very effective way to find vulnerabilities. It is today broadly used in various initiatives like OSS-Fuzz or syzbot helping open-source projects detecting bugs early on.

However when it comes to auditing closed-source binaries, things are less straightforward. They are interesting targets widely spread on operating systems, smartphones etc. Hopefully, wisely combining public research projects and homemade tools enable achieving efficient, and close to source-level performances.

We use to say “There’s nothing like a custom fuzzer for a target”. As such, this training aims at providing trainee concepts, methods and building blocks to create proper harness and fuzzers to deal with real-life softwares.

Through the use of LIEF, QBDI, HF/QBDI, Triton and TritonDSE the training aims at explaining how one can achieve efficient fuzzing on closed-source targets.

Fuzzing research covers a wide range of targets including notably kernel or browser fuzzing. Covering these targets would require a whole training for each of them. Thus, this session focuses on standard userland Linux-based binaries.

• Giving trainee the methodology, knowledge and means to achieve efficient fuzzing on real-life software
• Enabling facing challenges that fuzzing raises (exotic targets, no source code, etc.)
• Understanding how to build and using our own tools when necessary

Prerequisites & Requirements & Notes

• Basic reverse-engineering skills (x86_64)
• Basic skills in Python and C/C++
• Laptop with (Virtualbox, vmware) as all materials will be provided on a VM
• 10Gb+ disk space
• the more CPU and RAM the better

Robin David

ROBIN DAVID IS A FRENCH SOFTWARE SECURITY RESEARCHER FOCUSED ON REVERSE ENGINEERING AND SOFTWARE TESTING (FUZZING AND SYMBOLIC EXECUTION). HE ORIGINALLY HOLDS A PHD FROM THE ATOMIC ENERGY COMISSION (CEA) WHERE HE ATTACKED OBFUSCATION USING FORMAL METHODS AND SYMBOLIC EXECUTION. HE IS NOW FULL-TIME SECURITY RESEARCHER AT QUARKSLAB WHERE HE IS LEADING THE AUTOMATED ANALYSIS TEAM AND VARIOUS RESEARCH TOPICS. FROM TIME TO TIME WE PRESENT ITS WORK IN VARIOUS SECURITY CONFERENCES.

VIRTUAL TRAININGS AUGUST 15th — 20th

Windows Low Level Security Fundamentals

2-Day Training

Class Abstract

Understanding the fundamental Windows security mechanisms is essential for any low-level security work in Windows. The course teaches all the fundamental security aspects in Windows, from security descriptors and access tokens, to privileges and integrity levels. The course also touches on other, more recent security foundations including Virtualization Based Security (VBS), Control Flow Guard (CFG), the Windows boot process, and more.

• Understand the main mechanisms and components of the windows OS
• Write user-mode programs leveraging the Windows API
• Use WinDbg and Visual Studio to debug processes and kernel code
• Understand driver development fundamentals
• Write kernel-mode drivers

Pre Requisites:

• Basic acquaintance of Windows concepts and architecture
• Power-user level working with Windows
• Experience writing C code (basic C++ knowledge is recommended but not required)

Hardware setup:

• Windows 10 or 11 ×64 (any SKU)
• Windows 11 SDK (at least the Debugging tools for Windows)
• The Sysinternals suite (from www.sysinternals.com)
• PDF reader
• (Optional) Visual Studio 2019 or 2022 + latest updates (must include the C++ workload)
• (Optional) WinDbg Preview (from the Microsoft Store)

Pavel Yosifovich

PAVEL IS A DEVELOPER, TRAINER, AUTHOR AND SPEAKER. HE HAS WRITTEN SEVERAL BOOKS DEALING WITH THE INNER WORKINGS OF WINDOWS, SUCH AS WINDOWS INTERNALS 7TH EDITION PART 1 (CO-AUTHOR), WINDOWS KERNEL PROGRAMMING, AND WINDOWS 10 SYSTEM PROGRAMMING, PART 1 AND PART 2.

PAVEL IS THE AUTHOR OF MANY OPEN-SOURCE TOOLS THAT SHOW DETAILED INFORMATION ABOUT WINDOWS, WHICH CAN BE FOUND IN HIS GITHUB REPOS. PAVEL ALSO PROVIDES TRAINING FOR DEVELOPERS AND RESEARCHING ON WINDOWS-RELATED TOPICS, AS WELL AS MORE GENERAL SOFTWARE DEVELOPMENT USING C/C++, C# AND RUST.

Practical MacOS Monterey Kernel Exploitation on ARM64

Course Description:

With the release of MacOS Monterey Apple has once again raised the bars in terms of kernel level security. This newly created course will introduce you to state of the art kernel exploitation of these security features on the latest Apple M1 based Macs. We concentrate on MacOS instead of iOS because these devices make teaching and learning about cutting edge kernel exploitation against newest kernel mitigations a lot more accessible than it can be done with off the shelf iOS devices.

This training follows a hands on approach. This means instead of first introducing the trainee to things like the MacOS kernel heap or to list all the different kernel security features we will first get into the exploitation of multiple vulnerabilities and then learn about the required background information when exploitation requires it.

The course will require trainees to have access to a Apple M1 Mac based computer in addition to the computer they use to stream the virtual training material and use as kernel debugging host.

Student Pre-requisites

• Basic understanding of exploitation
• C and Python Programming Knowledge
• Basic Knowledge of ARM64 assembly

Hardware Requirements

• Apple Mac M1 based computer for Hands On Kernel Exploitation
• A second Apple Mac Computer for Streaming the Course and as Host for Kernel Panic Dumps

Software Requirements

• IDA Pro 7.x license (ARM64 support required)
• Ghidra
• Hexrays for ARM64 helpful, but not required
• MacOS, with latest XCode and iOS 14.x SDK (or newer)
• Additional Software will be made available during the training

Stefan Esser
Antid0te UG

STEFAN ESSER IS BEST KNOWN IN THE SECURITY COMMUNITY AS THE PHP SECURITY GUY. SINCE HE BECAME A PHP CORE DEVELOPER IN 2002 HE DEVOTED A LOT OF TIME TO PHP AND PHP APPLICATION VULNERABILITY RESEARCH. HOWEVER IN HIS EARLY DAYS HE RELEASED LOTS OF ADVISORIES ABOUT VULNERABILITIES IN SOFTWARE LIKE CVS, SAMBA, OPENBSD OR INTERNET EXPLORER.

IN 2003 HE WAS THE FIRST TO BOOT LINUX DIRECTLY FROM THE HARD DISK OF AN UNMODIFIED XBOX THROUGH A BUFFER OVERFLOW IN THE XBOX FONT LOADER. IN 2004 HE FOUNDED THE HARDENED-PHP PROJECT TO DEVELOP A MORE SECURE VERSION OF PHP, KNOWN AS HARDENED-PHP, WHICH EVOLVED INTO THE SUHOSIN PHP SECURITY SYSTEM IN 2006. SINCE 2007 HE WORKS AS HEAD OF RESEARCH AND DEVELOPMENT FOR THE GERMAN WEB APPLICATION COMPANY SEKTIONEINS GMBH THAT HE CO-FOUNDED.

IN 2010 HE DID HIS OWN ASLR IMPLEMENTATION FOR APPLE’S IOS AND SHIFTED HIS FOCUS TO THE SECURITY OF THE IOS KERNEL AND IPHONES IN GENERAL. SINCE THEN HE HAS SPOKEN ABOUT THE TOPIC OF IOS SECURITY AT VARIOUS INFORMATION SECURITY CONFERENCES AROUND THE GLOBE. IN 2012 HE CO-AUTHORED THE BOOK THE IOS HACKERS HANDBOOK. IN 2013 HE FOUNDED ANTID0TE UG A COMPANY THAT FOCUSES ON IOS SECURITY RESEARCH AND CONSULTING.

Automated Vulnerability Research with Ghidra

2-Day Training

Automated VR with Ghidra

This course teaches students methods to automate Ghidra in support of large-scale vulnerability analysis and general reverse engineering tasks. Students will develop scripts in Python, Kotlin, and Java to automate the extraction of data (e.g., strings, mnemonic frequency, function signatures, block sizes, cyclomatic complexity) from an arbitrary number of binaries across different architectures. After completing this course, students will have the practical skills to automate and extend Ghidra with scripts and modules.

Prerequisites

Students are expected to have experience with Ghidra and be proficient in navigating and manipulating code in the disassembly and decompiled views.

Software requirements

Students are expected to have their own computers which can run a 30GB virtual machine. A recommended hardware configuration is the following:

• 50 GB of free hard disk space
• 16 GB of RAM
• 4 Processor cores
• VMWare or Virtual Box to import an ova file

Kayla Afanador

KAYLA AFANADOR IS A SENIOR TECHNICAL STAFF MEMBER AND INSTRUCTOR AT THE BOSTON CYBERNETICS INSTITUTE (BCI). PRIOR TO BCI, KAYLA WAS THE CYBER RESEARCH & DEVELOPMENT LEAD FOR THE U.S. NAVAL AIR WARFARE CENTER WEAPONS DIVISION. KAYLA COMPLETED HER PHD IN COMPUTER SCIENCE AT THE NAVAL POSTGRADUATE SCHOOL WITH A FOCUS ON AUTOMATED VULNERABILITY RESEARCH.

Advanced Binary Diffing with Diaphora

2-Day Training

Abstract

Diaphora (διαφορά, in Greek “difference”) is a pure python plugin for IDA Pro to perform program comparison, what is often referred as “Binary Diffing”. Diaphora is open source, regularly maintained and offers more functionality than other similar tools such as Zynamics BinDiff, DarunGrim or TurboDiff.

Binary Diffing is a widely used technique to help in reverse engineering tasks like, patch diffing, importing symbols, library identification, plagiarism detection, etc. All these tasks can be simplified using Diaphora out-of-the-box. There are many cases where the tasks are more complex and require significant effort to apply, or be so tedious that automation becomes a must. There are little to no public resources on automation or scripting of binary diffing or methods to adapt generic techniques to more target specific techniques. And even fewer public resources that discuss deriving your own tools using Diaphora or any other binary diffing tool.

This course will teach you how to script and automate several basic and advanced binary diffing tasks. You will learn how to get the best out of Diaphora’s techniques and heuristics for program diffing, how to script your own export filters, diffing filters, new project specific heuristics, how to automate the diffing of batches of samples, how to import symbols in batch from old to new versions, how to make your own tools based on Diaphora, and more.

This training is supplemented by several hands-on exercises to internalize concepts and techniques taught in class.

System Requirements

• IDA Pro or IDA Home 7.5 or higher with Python 3.X.
• 8GB RAM required, at a minimum
• 40 GB free Hard disk space

Joxean Koret

“BASQUE HACKER INTERESTED IN REVERSE ENGINEERING, SECURITY RESEARCH, SOFTWARE DEVELOPMENT AND NATURE PHOTOGRAPHY.

I ANALYSE, BREAK AND CODE STUFF IN NO SPECIFIC ORDER.”

JOXEAN KORET HAS BEEN WORKING FOR THE PAST 15 YEARS IN MANY DIFFERENT COMPUTING AREAS. HE STARTED AS A DATABASE SOFTWARE DEVELOPER AND DBA FOR A NUMBER OF DIFFERENT RDBMS. EVENTUALLY HE TURNED TOWARDS REVERSE ENGINEERING AND APPLIED THIS DB INSIGHTS TO DISCOVER DOZENS OF VULNERABILITIES IN MAJOR DATABASE PRODUCTS, ESPECIALLY ORACLE. HE ALSO WORKED IN AREAS LIKE MALWARE ANALYSIS, ANTI-MALWARE SOFTWARE DEVELOPMENT AND DEVELOPING IDA PRO AT HEX-RAYS. HE IS CURRENTLY A SENIOR SECURITY ENGINEER.

Cryptography Attacks and Defenses, Reloaded

2-Day Training

Abstract

A freshly redesigned cryptography training covering all the crypto topics that matter in 2022, from cloud infrastructure to mobile and decentralized applications.

Cryptography is an indispensable tool for protecting information in computer systems, but choosing secure protocols and parameters can become quickly overwhelming. To help avoid common traps and failures, this course teaches participants how to reason about the security of crypto constructions, and how to choose secure, efficient, modern crypto components — be it algorithms, protocols, or libraries.

The training starts from the core knowledge and building blocks and gradually moves towards more advanced protocols and techniques used in modern systems, be it cloud infrastructure or decentralized applications. The class is practice-oriented, highly interactive, and includes many examples of real-world failures.

Abstract

A freshly redesigned cryptography training covering all the crypto topics that matter in 2022, from cloud infrastructure to mobile and decentralized applications.

Cryptography is an indispensable tool for protecting information in computer systems, but choosing secure protocols and parameters can become quickly overwhelming. To help avoid common traps and failures, this course teaches participants how to reason about the security of crypto constructions, and how to choose secure, efficient, modern crypto components — be it algorithms, protocols, or libraries.

The training starts from the core knowledge and building blocks and gradually moves towards more advanced protocols and techniques used in modern systems, be it cloud infrastructure or decentralized applications. The class is practice-oriented, highly interactive, and includes many examples of real-world failures.

JP Aumasson

DR. JEAN-PHILIPPE (JP) AUMASSON IS THE CHIEF SECURITY OFFICER AND CO-FOUNDER OF TAURUS, A SWISS FINANCIAL TECH COMPANY SPECIALIZING IN DIGITAL ASSETS INFRASTRUCTURE. SINCE 2006, HE HAS AUTHORED MORE THAN 60 RESEARCH ARTICLES IN THE FIELD OF CRYPTOGRAPHY AND DESIGNED THE WIDELY USED HASH FUNCTIONS BLAKE2 AND SIPHASH.

THE AUTHOR OF THE ACCLAIMED BOOKS SERIOUS CRYPTOGRAPHY (2017) AND CRYPTO DICTIONARY (2020), HE HAS BEEN GIVING CRYPTO TRAINING SINCE 2013, AND TALKED AT LEADING CRYPTO AND SECURITY CONFERENCES.

Philipp Jovanovic

DR. PHILIPP JOVANOVIC IS AN ASSOCIATE PROFESSOR IN INFORMATION SECURITY AT UNIVERSITY COLLEGE LONDON. BEFORE JOINING UCL IN 2020, HE WORKED AS A POSTDOCTORAL RESEARCHER AT THE SWISS FEDERAL INSTITUTE OF TECHNOLOGY LAUSANNE (EPFL), SWITZERLAND. HE OBTAINED HIS PHD FROM THE UNIVERSITY OF PASSAU, GERMANY, IN 2015 AND RECEIVED THE UNIVERSITY’S DISSERTATION AWARD IN MATHEMATICS AND COMPUTER SCIENCE IN 2016. HE HAS BEEN GIVING CRYPTOGRAPHY TRAININGS SINCE 2016 AND IS A SCIENTIFIC ADVISOR AT CLABS, THE ORGANIZATION BUILDING THE CELO BLOCKCHAIN, SINCE 2019. HIS RESEARCH INTERESTS BROADLY INCLUDE CRYPTOGRAPHY, DECENTRALIZED SYSTEMS SECURITY, AND PRIVACY-ENHANCING TECHNOLOGIES. LATELY HE HAS BEEN WORKING ON SCALABILITY AND INTEROPERABILITY ASPECTS OF DISTRIBUTED LEDGER PLATFORMS, PUBLIC RANDOMNESS GENERATION, SECURE MULTI-PARTY COMPUTATION, AND CONSENSUS MECHANISMS.

Low Level Android for Researchers and Red Teamers

2-Day Training

Abstract

This course teaches you the tools and techniques used to work with low-level Android features and native code. It is a practical class aimed at researchers and developers who want to better understand the native Android environment or start developing their own red-teaming tools.

Students will begin by learning the architecture of Android including how APKs and native code interface, moving on to building and debugging standalone native binaries with NDK toolchains. Students will learn how to replicate the system calls of an APK from native code by working directly with Binder, the underlying information broker of Android. Students will gain experience in instrumenting and debugging native binaries with Frida and GDB, and an introduction to working with AOSP to aid research into system components. This course features a deep dive into how security is enforced in Android from sandboxed APKs to protected system services in an SELinux locked environment. The course will be a combination of practical and lecture-based sessions with examples provided throughout.Setting up your Android device and PC for native research

• How Android runs native code and how it fits into the Android architecture
• Using ADB to look under-the-hood and explore Android processes
• How to build, deploy, execute and debug your own native code on Android, both
• launched from within an APK, and
• from a (simulated) exploit.
• How to use the NDK toolchain to target different architectures
• How to communicate between the native and Java environments using JNI
• The differences between developing for emulators and real devices
• Accessing device data from native code
• Android’s security measures and how they limit what you can do
• How to use common Android reverse engineering tools to investigate and instrument native code

Prerequisites

• Some experience in working with Android, development, research or penetration testing.
• Some experience in C/C++ and basic development skills.
• Basic Linux knowledge, able to carry out basic commands.

System Requirements

Course specifics will be distributed 2 weeks prior to the course however, the following will be helpful:

• A Windows or Linux device with root/administrator rights.
• Android Studio and AVD
• Docker

Whilst most of the course will be taught using AVD virtual machines, students are encouraged to bring a physical Android phone to gain experience working with real devices.

Cam Buchanan

CAM IS A DIRECTOR OF FOUNDRY ZERO, A CYBER SECURITY CONSULTANCY AND TRAINING COMPANY.

WITH 10 YEARS OF EXPERIENCE IN CYBER SECURITY, CAM HAS HAD MULTIPLE ROLES FROM PENETRATION TESTER TO SOFTWARE ENGINEER WITH A FOCUS ON RESEARCH. HE HAS PERFORMED LARGE SCALE PENETRATION TESTING EXERCISES AND WRITTEN MULTIPLE BOOKS ABOUT THE SUBJECT.

HAVING WORKED WITH ANDROID ACROSS HIS ENTIRE CAREER WITH A FOCUS ON LOW-LEVEL RESEARCH INTO NATIVE VULNERABILITIES, CAM IS EXPERIENCED IN TAKING APART ANDROID LIBRARIES AND INVESTIGATING DEEP INTO THE ANDROID OS.

Tim P

TIM HAS WORKED IN CYBER SECURITY FOR OVER 18 YEARS, AND IS NOW A DIRECTOR OF FOUNDRY ZERO — A SPECIALISED CONSULTANCY DELIVERING LOW-LEVEL CYBER RESEARCH AND TRAINING.

MOST OF TIM’S CAREER HAS INVOLVED TAKING THINGS APART TO SEE HOW THEY WORK — STARTING AS A SOFTWARE DEVELOPER HE BUILT A LOT OF EXPERIENCE IN LOW-LEVEL AND KERNEL-MODE WINDOWS, THEN MOVED INTO A RESEARCH ROLE WHERE HE’S DONE DETAILED WORK ON IOS, ANDROID, AND A SELECTION OF NICHE OPERATING SYSTEMS.

TIM HAS WRITTEN AND DELIVERED A RANGE OF TRAINING COURSES AND PRESENTATIONS ON TECHNICAL SECURITY MATTERS, AND WOULD ONE DAY LOVE TO GET BACK TO PLAYING CTFS AS WELL AS RUNNING THEM.

CONTINUE TO: HACKER DOUBLE SUMMER — Part Eight: BSides Las Vegas