About The Training

Some of the techniques you will learn during this course

• How automated analysis can be integrated into manual code reviewing workflows
• Advanced Fuzzing using AFL++ and LIBFUZZER
• Using and extending different analysis tools
• Clang static analyzer basics
• How to create Checker plugins for the Clang static analyzer
• Using semantic patching tools such as COCCINELLE to create patches quickly and detecting more issues
• Applying dataflow tracking tools such as CodeQL and modern static analysis frameworks to identify vulnerable code patterns and perform variant analysis
• The course is hands-on with a mix of demonstrations and lecture. Both, methodology and tools will be focus of this training.

Advanced

Day-1 Basics of Application Security and Fuzzing

On the first day the basics of software security and approaches to identify flaws in larger projects will be discussed. We will show examples of security vulnerabilities, common places where they emerge, and how to analyze the API of large projects for dangerous functionality.

Important aspects here are the strategies to identify the right places to look for vulnerabilities. Following this we will show how to create interfaces and test cases that are suitable for dynamic analysis. We will also show basic tools and use them to analyze common targets.

Takeaways:

• What are the most important vulnerabilities to discover.
• How to approach large software projects when looking for vulnerabilities.
• How to identify attack vectors.
• How to use basic tools to analyze binaries or source code.
• What Fuzzing is.
• How to use fuzzers to their to its full potential (focus on AFL++ and libfuzzer).

Day 2 - Static and Dynamic Analysis

The second day covers static analysis tools, which help to identify issues in software by analyzing the source code with the help of powerful tools. Since some issues are quite special to a specific code base, this day also covers how to extend analysers to make them adapt to a specific code base.

Takeaways:

• What is static analysis.
• When to apply static analysis.
• How to use CPPCHECK and implement a new check.
• How to use Clang and write custom checkers to analyze your codebase.
• Speed up bug finding and patching by using COCCINELLE.
• Using dynamic analysis for blackbox analysis without source code.

Day 3 - Advanced Bughunting

The third day covers advanced topics such as semantic grepping and bug pivoting. Additionally it covers the combination of manual and automated techniques, such as targeted fuzzing and combining static and dynamic analysis.

Takeaways:

• Using semantic grep to find vulnerable code patterns.
• Patching and identifying flaws at scale with tools such as COCCINELLE
• Analysing crashes, triaging interesting errors and creating test cases.
• Tainted input where it shows up, and how to find and trace it
• Combining different techniques to find complex and deeply hidden vulnerabilities.

• A system able to run VirtualBox x86_64 based VMs, either via USB stick or download
• A minimum 40GB of disk space
• 8 GB of RAM

• Basic Linux command line skills, e.g. the ability to invoke a tool on one or many input files)
• Good knowledge of programming languages, preferably also a low level language such as C and/or Assembly.
• Understanding of security issues in software.

The training is aimed at security engineers, security researchers, software developers, and anyone generally interested in how to identify vulnerabilities in software.

When auditing or managing large software projects, identifying security vulnerabilities is often a hard task. If you want to go beyond vulnerabilities others have found, you need to find your own fresh and previously undiscovered issues. Especially in high profile targets this is getting more and more important. After this workshop you will be able to use techniques of static and dynamic analysis to discover security issues fast and efficient. Besides the tools, the mindset and approach of manual code review is presented as well.

• Training VM image including all the tools
• Concrete examples of vulnerable software and the methods and tools how to find the hidden vulnerabilities
• Tools and scripts that can be applied to software in your own work

• Introduction to software development
• 0days (unless you find them yourself during the training)