ATTEND IN-PERSON: Onsite in Phuket
ATTEND ONLINE: Virtual via Zoom and Discord
DATE: 21-24 August 2023
TIME: 09:00 to 17:00 ICT/GMT+7
Date |
Day |
Time |
Duration |
21 Aug |
Monday |
0900-17:00 ICT/GMT+7 |
8 Hours |
22 Aug |
Tuesday |
0900-17:00 ICT/GMT+7 |
8 Hours |
23 Aug |
Wednesday |
0900-17:00 ICT/GMT+7 |
8 Hours |
24 Aug |
Thursday |
0900-17:00 ICT/GMT+7 |
8 Hours |
If you’d like to mix and match this material with other topics Xeno teaches, you can instead sign up for the Xeno’s All You Can Learn Buffet class instead.
This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you’re paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there’s bits of material you already know, you can just skip them and move on to the bits you don’t know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.
Because we give you all the lecture and lab materials and videos after class, what you’re really paying for is support from the instructor! So you’ll be entitled to keep asking up to 20 questions after class, with 1-2 hour turnaround answers (after accounting for time-zone differences.) This lets you keep productively working through the material if you run out of time at the conference. If you’d like to learn more about the benefits of this style of class delivery, please read this blog post.
Key Learning Objectives
- Learn to recognize the common programming errors that lead to (linear) stack/heap buffer overflows, (non-linear) out-of-bound writes, integer overflows/underflows, signedness issues (e.g. bypassing sanity checks due to signed comparisons, or integer truncation/extension errors), uninitialized data accesses, race conditions (e.g. double fetch and Time of Check, Time of Use (TOCTOU)), Use-After-Free (UAF), type confusion, and information disclosure.
- Learn what options developers have in terms of prevention, detection, and mitigation for each vulnerability type.
- A detailed walkthrough for the exploitation of at least one vulnerability per section. This is so that students can see that vulnerabilities that might otherwise seem unexploitable, are in reality exploitable.
- A *non-goal* is to teach the student how to exploit the vulnerabilities themselves. That will be covered in a future class. (Therefore this class’s applicability stops at “secure development” or “vulnerability auditor”, and doesn’t extend to “exploitation engineer”.)
Course Agenda
Introduction
- Attacker motivations & capabilities
Stack Buffer Overflows
(Key: ? = 0day in the wild, ? = includes exploit explanation)
- Choose-your-own-adventure. Select the examples you’re most interested in from:
* CVE-2021-21574 ? “BIOS Disconnect”
* CVE-2022-0435
* CVE-2018-9312
* CVE-2018-9318
* CVE-2020-10005
* CVE-2021-20294
* CVE-2021-43579
* 2021-CVE-None-BaseBand#1
* CVE-2022-0435
– Writing good sanity checks, by example
– Safer C runtime API options
– FORTIFY_SOURCE
– Piecemeal type-safe language usage
– FORTIFY_SOURCE
– Manual code auditing guidance
– Commercial static analysis tools
– Fuzzing
– Address Sanitizer
– Stack Canaries
– Address Space Layout Randomization (ASLR)
– Non-Executable Memory
– Control Flow Integrity (CFI)
– Tagged Memory
Heap Buffer Overflows
- Introduction
- Choose-your-own-adventure. Select the examples you’re most interested in from:
* CVE-2020-0917?
* CVE-2019-7287?
* CVE-2020-11901 (Part of “Ripple20”)
* CVE-2020-25111 (Part of “Amnesia:33”)
* CVE-2020-27009 (Part of “NAME:WRECK”)
* CVE-2021-21555
* CVE-2021-42739
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
Non-linear Out-of-bounds Writes (OOB-W)
- Introduction
- Choose-your-own-adventure. Select the examples you’re most interested in from:
* CVE-2019-10540?
* CVE-2020-0938?
* CVE-2020-1020?
* CVE-2020-13995
* CVE-2020-27930?
* CVE-2021-26675 “T-BONE”
* CVE-2021-28216
* CVE-2022-25636
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
Integer Overflows/Underflows
- Introduction
- Choose-your-own-adventure. Select the examples you’re most interested in from:
* CVE-2020-0796? “SMBGhost”
* CVE-2019-5105
* CVE-2019-3568?
* CVE-2019-14192
* CVE-2020-11901 (Part of “Ripple20”)
* CVE-2020-16225
* CVE-2020-17443 (Part of “Amnesia:33”)
* CVE-2021-30860?
* CVE-2021-22636
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
Other Integer Issues
- Introduction
- Choose-your-own-adventure. Select the examples you’re most interested in from:
* CVE-2019-15948?
* CVE-2019-14196
* CVE-2019-20561
* CVE-2020-15999?
* CVE-2020-17087?
* CVE-2021-33909 “Sequoia”
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
Conclusion for Part 1
Uninitialized Data Access
- Introduction
- Choose-your-own-adventure. Select the examples you’re most interested in from:
* CVE-2019-1458??
* CVE-2022-26721
* CVE-2022-1809
* CVE-2021-3608
* CVE-2022-29968
* CVE-2021-27080
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
Race Conditions
- Introduction
- Choose-your-own-adventure. Select the examples you’re most interested in from:
* CVE-2019-11098?
* CVE-2021-4207
* CVE-2021-34514
* 2022-CVE-None-MSMu
* CVE-2020-7460
* 2019-CVE-None-QualcommWiFiSB
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
Use-After-Free (UAF)
- Introduction
- Choose-your-own-adventure. Select the examples you’re most interested in from:
* CVE-2020-29661?
* CVE-2021-28460
* CVE-2020-2674
* CVE-2020-2758
* CVE-2021-36955
* CVE-2020-9715
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
Type Confusion
- Introduction
- Choose-your-own-adventure. Select the examples you’re most interested in from:
* CVE-2021-1732?? & CVE-2022-21882?
* CVE-2020-3853
* CVE-2021-30857
* CVE-2020-27932? & CVE-2021-30869?
* CVE-2021-41073
* CVE-2022-1786
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
Information Disclosure
- Introduction
- Choose-your-own-adventure. Select the examples you’re most interested in from:
* CVE-2021-1969?
* CVE-2021-3947
* CVE-2022-21877
* CVE-2021-1758
* CVE-2019-12265
* CVE-2021-3592
- Prevention, Detection, Mitigation (a mix of approaches that apply equivalently to past sections, as well as any new topic-specific mechanisms.)
Conclusion for Part 2