Application Security: for Hackers and Developers, is designed for practitioners to learn about the tools and techniques used to prevent and find bugs in real world software. This class is great for anyone in software, testing, management, hacking/vulnerability research, and so much more.
Topics At a Glance
- Security Strategy
- SDL, design review, security culture, etc.
- Code Auditing
- Static and Dynamic analysis
- Manual analysis and peer review
- Automated bug discovery
- AFL, Peach, etc
- Reverse Engineering
- Protecting IP
- Finding bugs in managed (C#, etc) and unnmanaged (C/C++, etc.) code
- Software Exploitation
- Command Injection, SQLi, and Memory corruption (Buffer overflows, Function pointer overwrites, ROP,) etc.
We begin the class with a brief secure-by-design and strategy session. Next, understanding how and when to audit code is key for both developers and hackers. Students learn to zero in on the important components. Automated tools are employed, but auditing source manually is the key, since verifying results is a required skill even when using automated tools. Spotting and fixing bugs is the focus.
Dynamic investigation of web, mobile, and APIs requires skills with tools like burp. While hunters for bugs in core code (C/C++), often use fuzzing: a runtime method for weeding out or finding exploitable bugs. Both techniques are used by a growing number of product and security organizations.
Another technique hackers use to uncover bugs is reverse software. Managed (.net) and unmanaged code (C and C++) are covered. The IDA pro tool is taught and used throughout. Other tools like Binary Ninja are shown as well. Calling conventions, Assembly-to-C, identifying and creating structures, RTTI reconstruction, etc. are covered. Students will see IDA’s more advanced features such as flirt/flare, scripting, and plug-ins.
Finally, students will walk out of this class knowing how to exploit discovered bugs. This is useful to both developers and hackers. The attack portion will teach students how to exploit common bugs such as: command injection, SQLi, IDOR, stack buffer overflows, function pointer overwrite, heap overflow, off-by-one, integer error, uninitialized variable, use-after-free, double fetch, and more. For the exploits, return overwrites, heap spraying, ROP, and gadget discovery are presented. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.