Application Security: For Hackers and Developers
Application Security: For Hackers and Developers
Trainer: Jared DeMott
Jared DeMott is a PhD candidate at Michigan State University and a security researcher for Harris Crucial Security,Inc. He has spoken at security conferences such as Black Hat, Defcon, ToorCon, Shakacon, and DakotaCon.He is active in the offensive security community by teaching his Application Security course, and has co-authored a book on Fuzzing. Mr. DeMott has been an invited lecturer at prestigious institutions such as the United States Military Academy, and prior to Harris worked for the National Security Agency.
Description:
There are four technical skills required by security researchers, software quality assurance engineers, or developers concerned about security: Source code auditing, fuzzing, reverse engineering, and exploitation. All these skills and more are covered. C/C++ code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for in lectures and labs.
Fuzzing is a topic book author DeMott knows about well. Mutation file fuzzing and framework definition construction (Sulley and Peach) are just some of the lecture and lab topics. When it comes to reversing C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Deep usage of this tool is covered in lecture and lab. Exploitation discussions and labs are the exciting final component. You’ll enjoy exploiting BSD local programs to Win7 browsers using the latest techniques.
Reverse Engineering
Students focus on learning to reverse compiled software written in C and C++, though half-compiled code is mentioned as well. The IDA pro tool is taught and used throughout. Callingconventions, C to assembly, indentifying and creating structures, RTTI reconstruction arecovered. Students will also use IDA’s more advanced features such as flirt/flare, scripting, and
plug-in creation.
Source Code Auditing
Understanding how and when to audit source code is key for both developers and hackers.Students learn to zero in on the important components of each language. Automated tools are mentioned, but auditing source manually is the focus, since verifying results is a required skill even when using the most advanced tools. Spotting and fixing bugs is the focus.
Fuzzing
Fuzzing is a runtime method for weeding out bugs in software, with a growing footprint within security companies and research communities. Techniques such as dumb file fuzzing, all the way up to intelligent network protocol fuzzing will be covered. Students will write and use various fuzzers to find bugs.
Exploitation
Students will walk out of this class knowing how to find and exploit bugs in software. This is useful to both developers and hackers. The exploit component will teach each common bug type including: stack overflows, function pointer overwrites, heap overflows, off-by-ones, FSEs, return
to libc, integer errors, uninitialized variable attacks, heap spraying, and ROP. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.
DOWNLOAD the entire Syllabus and Class Schedule.
No hard prerequisites, but helpful if:
Course Requirements:
In addition to course materials, some of the tools you get:
Dates: September 25 & 26, 2012
Meeting Time: 8:30 AM – 5:00 PM
DeVos Place (Room TBA) 303 Monroe Ave. Grand Rapids, MI 49503
Registration:
Price $1,400, Includes GA ticket for GrrCONRegistration is OPEN
