Program Analysis for Vulnerability Discovery
Sophia d’Antoine & Jordan Wiens


31st Jan - 3rd February 2022






This is 32 hour course trains students to do sophisticated program analysis using Binary Ninja and the Binary Ninja Python API for the purpose of vulnerability research with the goal of improving auditing processes, improving ability to identify interesting code paths, and encoding bug primitives.

In the class, students will learn Binary Ninja inside and out by extending its analysis capabilities to support a custom architecture which is difficult to analyze manually. Students will also leverage the Binary Ninja plugin architecture to identify vulnerabilities in a machine architecture independent way. After taking this course students will have experience working with all parts of the API (even some undocumented bits) to create powerful program analysis tools which can be used across architectures.

  • Required Materials
    • A virtual machine running Ubuntu 20.04 or a OS which can run Binary Ninja (Supported Platforms)
    • Python 3.8+
    • Temporary Personal Binary Ninja licenses will be provided but if you are purchasing one we recommend the Commercial license as it provides the headless API

Course agenda

  • Day 1
    • API and GUI review
    • Discussion of program analysis use cases
    • Turing machines, correctness, and formal verification
    • In depth Binary Ninja Low Level Intermediate Language (LLIL) review
    • Start to write a generic plugin with binary ninja PluginCommand to better reverse engineer language specific artifacts
  • Day 2
    • SSA Form and its benefits
    • The binary ninja memory and address concept
    • Control flow analysis vs. Data flow analysis
    • Type propagation inside of a function context and cross function
    • Automatically recovering structures inside of a function context
    • Abstract Interpretation
  • Day 3
    • Data flow analysis and tracing the lifetime of a variable or object
    • Path constraint solving using SAT solvers to determine reachability and to solve for input variables
    • Vulnerability discovery with Binary Ninja
    • Identifying "sources" and "sinks" in a program. Using taint analysis track where controlled input can reach program sinks and constraint solving to determine the boundaries of a vulnerability
  • Day 4
    • Discuss bug classes, what makes certain ones easier to programmatically find and why
    • Encoding bug classes as read and write primitives, it easier to find specific vulnerability types -- such as memory corruption and incorrect usage of APIs
    • Write a binary ninja pass to find different classes of bugs for specific example targets
    • Attempt to analyze and find bugs in a 'real world' program
    • Discussion on the future of the field. How would machine learning help us determine the harder types of bugs – logic bugs etc


Sophia d’Antoine is the founder of Margin Research, focusing on vulnerability research and program analysis. She has spoken at more than thirteen global security conferences worldwide including RECon Montreal, Blackhat, and CanSecWest on topics from automated exploitation, program analysis, machine learning, and hardware hacking. Her keynotes have included topics such as exploiting hardware CPU optimizations. Currently, She sits on the program committee for Usenix WiSec and have been on multiple peer review panels in the past. In the past, she has worked extensively on embedded devices and other unique architectures. Additionally, Sophia is the "Hacker in Residence" at NYU and enjoy assisting in hosting CTFs and other hacking competitions.

Her publications on automated exploitation, programmatic vulnerability discovery, and security focused compiler development are listed below. The basis for this is effort has been through static analysis, LLVM, and binary lifters, such as Binary Ninja.

Jordan Wiens used to play a lot of CTF, even winning some like DEF CON a handful of times but then they got hard and now he mostly likes to talk about them and make challenges. Professionally, he's been a network security engineer, vulnerability researcher, engineering manager, and for the last five years small business founder with two co-founders of Vector 35, makers of Binary Ninja.

He's given trainings over two decades across the academic, government, and commercial sectors on reverse engineering and vulnerability research and has presented at conferences like DEF CON, BlueHat, ShmooCon, Insomni'hack, SAS, and many others.

Limited Seats - Remember to reserve your ticket!

register now