TECH TRAINING 5: Application Security for Hackers & Developers

Citing the MH17 tragedy, Dr. Jared DeMott has chosen to cancel this training course scheduled. Students who have signed up and paid are eligible for a full refund

DURATION: 2 DAYS

CAPACITY: 20 pax

PRICE:   USD1499 / MYR4999 (early bird)

USD1899 / MYR6199 (normal)

Early bird registration rate ends on the 1st of August

---

After attending AppSec, students often say stuff like: 

“I haven’t had my butt kicked like that since grad school. It was great!” – Dr. Josh Pauli, Dakota State University 

“You’ll learn a ton. It helps to be ready with C and Assembly, but if you’re not Jared will teach you what you need.” – Anonymous 

“I’m not sure you could improve this two day seminar. The amount of material was more than we could cover at times, but I would rather be exposed and then go off on my own than to omit some of the material.” – Dr. George Hamer

“There was so much information that it was like drinking water through a fire hose… impossible to catch it all, but well presented.” – Shane Shellenbarger, Recent College Grad (and now, years later, experienced Security Researcher)

 

Overview

There are four technical skills required by security researchers, software quality assurance and test engineers, or developers concerned about security: Source code auditing, fuzzing, reverse engineering, and exploitation. Each of these domains is covered in detail. C/C++ code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for in lectures and labs. Fuzzing is a topic book author DeMott knows about well. Mutation file fuzzing and framework definition construction (Sulley and Peach) are just some of the lecture and lab topics. When it comes to reversing C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Deep usage of this tool is covered in lecture and lab. Exploitation discussions and labs are the exciting final component. You’ll enjoy exploitation basics, and will also use the latest techniques.

Source Code Auditing

Understanding how and when to audit source code is key for both developers and hackers. Students learn to zero in on the important components. Automated tools are mentioned, but auditing source manually is the focus, since verifying results is a required skill even when using automated tools. Spotting and fixing bugs is the focus.

Fuzzing

Fuzzing is a runtime method for weeding out bugs in software. It is used by a growing number of product and security organizations. Techniques such as dumb file fuzzing, all the way up to distributed fuzzing, will be covered. Students will write and use various fuzzers.

Reverse Engineering

Students focus on learning to reverse compiled software written in C and C++, though half-compiled code is mentioned as well. The IDA pro tool is taught and used throughout. Calling conventions, C to assembly, identifying and creating structures, RTTI reconstruction are covered. Students will also use IDA’s more advanced features such as flirt/flare, scripting, and plug-ins.

Exploitation

Students will walk out of this class knowing how to find and exploit bugs in software. This is useful to both developers and hackers. The exploit component will teach common bug type such as: stack overflows, function pointer overwrites, heap overflows, off-by-ones, FSEs, return to libc, integer errors, uninitialized variable attacks, heap spraying, and ROP. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.

No hard prerequisites, but helpful if:

• College Degree in a computer related disciple or equivalent work experience
• If desired, feel free to read “Introduction to Application Security”: http://www.vdalabs.com/tools/AppSec_Whitepaper.html
• Programming (C/C++/.asm) and security experience will help, but you will still get a lot out of the course if you lack that, so no fears. All questions are good questions in my classes. We have a fun but instructive and intense learning experience. You won’t walk away disappointed.

GOAL:

“By the end of this course you will be able to: research and repair software bugs by auditing code, fuzzing an application, reverse engineering the issue, and even developing an exploit for the vulnerability you discovered. This knowledge will help developers produce better code, and is essential for security engineers, researchers, and malware analysts in their daily work.”

Students are required to provide a laptop for the course:

Your laptop should have at least 18GB of free HD space and should have 4GB+ of RAM.

Install Ahead of Time

• VMware workstation/player for Windows or Fusion for the Mac
• You will be given a Windows 7 VM. Copy to your hard drive, and pass the portable Media to your neighbor. You may not share course media with non-students.

Examples of Tools on the Virtual Machines

• WinDbg and Immunity Debugger
• IDA pro 6.x DEMO
• Python (From Sulley installer. PyDbg works with 2.4 by default in this installer)
• Peach Fuzzer
• 010 hex editor (trail available)
• SciTools Understand (demo)
• And much more…

COURSE MATERIAL INFORMATION

The course material will be provided to you on day 1. As soon as you receive the course material, copy it from the media and extract and test the virtual machine. Begin by writing a C program and disassembling it, if you arrive to the course early on day 1. The course material is in 4 directories: SrcAudit, Fuzzing, Reversing, and Exploitation. In each directory you’ll find a wealth of knowledge from documents to labs. Material cannot be shared, reproduced, or used for profit. Please fill out the course review form.

SUGGESTED READING / TEXTBOOKS:

• Grey Hat Hacking: The Ethical Hacker’s Handbook, 3rd Edition – Harper, Harris, Ness, Eagle, Lenkey, and Williams
• Fuzzing for Software Security and Quality Assurance – Takanen, DeMott, Miller
• The Art of Software Security Assessment – Mark Dowd, John McDonald, and Justin Schuh
• The IDA Pro Book, 2^nd Edition – Chris Eagle