From bug hunting to exploit development to securing software systems, program analysis is a common thread that ties together multiple fields of software security. This training is targeted at individuals with little or no program analysis experience. Instead of simply learning how to break things, this training focuses on the challenges involved in securing software systems and developing a systematic approach to tackling ongoing software security challenges. The material is broken into 6 modules that cover both defensive and offensive aspects of security.
Exploit Development: First we will become intimately familiar with one particular type of bug, a buffer overflow. We will iteratively develop exploits for a simple Linux program with a buffer overflow before we move on to developing an exploit for a Windows webserver called MiniShare.
Fundamentals of Program Analysis: Next we will discuss program analysis and how it can be used to analyze programs to detect bugs and malware. We will also consider some fundamental challenges and even limitations of what is possible in program analysis. This module discusses relationships between bugs and malware, as well as strategies for integrating human intelligence in automatic program analysis. Later you will be presented with an enormous task of quickly locating malware in a large Android application (several thousand lines of code). Through this activity you will be challenged to develop strategies for auditing something that is too big to personally comprehend. As class we will collectively develop strategies to audit the application, we will use those strategies to develop automated techniques for detecting malware.
Bug Hunting: In this module we will examine strategies for hunting for unknown bugs in software. We will revisit our buffer overflow vulnerabilities and consider what is involved to automatically detect the vulnerability for various programs while considering the limitations of program analysis. We will develop a tool to automatically locate the line number of the code that was exploited in the Minishare webserver.
Antivirus Evasion: Since antivirus is used to actively thwart exploitation attempts, we will take a detour to examine techniques to bypass and evade antivirus. Specifically we will examine what is necessary to manually modify a 4 year old browser drive by attack to become undetectable by all modern antivirus. We will also build a tool to automatically obfuscate and pack our exploit.
Post Exploitation: In this module we will develop a Managed Code Rootkit (MCR) and deploy the rootkit on the victim machine using our previous exploit against Minishare.
Going Beyond: In this final module, we explore future directions in the field and examine some open problems in the context of what we learned in the previous modules.
It is the objective that by the end of this course participants should be able to: 1) Demonstrate basic bug hunting, exploitation, evasion, and post-exploitation skills, 2) Describe commonalities between vulnerability analysis and malware detection, 3) Describe fundamental limits in program analysis, 4) Challenge conventional viewpoints of security, 5) Confidently approach large third party software, 6) Critically evaluate software security products, and 7) Locate additional relevant resources.
Venue: US Cyber Challenge Summer Bootcamps (USCC 2017), Illinois, Delaware, and Utah, July 2017.
Authors: Benjamin Holland