Program Analysis for Vulnerability Discovery
Sophia d’Antoine & Jordan Wiens

Schedule

Theory meets practice in this course brought to you by Margin Research and Vector 35. This four-day course examines cutting-edge program analysis techniques and how they can be used to find bugs!

Uncover and improve on the logic behind compiler checks that have been finding errors in code for decades and implement them on binaries using Binary Ninja. Students will prototype binary analysis passes to find type confusion, buffer overflows, data-flow edge cases, and automate analysis at scale across hundreds of real world targets.

This thorough approach to binary analysis will leave students with a collection of scripts that can be applied across architectures to find real bugs, identify interesting code paths, and the ability to encode bug primitives both old and new! Plus, students will learn how to build a pipeline to discover those bugs automatically and integrate automated analysis into existing workflows. Maximize every advantage reverse engineering has to pioneer truly modern Program Analysis for Vulnerability Research.

Topics Covered

• Using the UI, Reverse Engineering, Design Philosophy, Core Architecture (BN core arch/design)
• BV plugin development, Architecture plugin
• Normalization, IL Survey, BNIL ILs
• Undecidability, Program Correctness, Correctness with pointers, Formal Methods, Useful Binja Features, Jump Tables, SSA
• PHI nodes, Dominance Frontiers, and Data Sensitive Analysis
• Type Analysis, Constraint Solving, and Records, Lattice Theory, Sign Analysis, and Abstract Interpretation
• Constant Propagation, Fixed-Point Algorithms, Abusing Optimizations, and Flow-Sensitive Type Analysis
• Pointer Analysis, Abstract Interpretation, Interprocedural Analysis, Batch processing with Binja
• Pointers and Heap analysis
• Have a thorough grasp on the binary ninja python API
• Familiarity with many program analysis concepts and common challenges
• The ability to write sophisticated program analysis plugins unassisted
• An understanding of vulnerability primitives and methods of discovery
• A virtual machine running Ubuntu 20.04 or a OS which can run Binary Ninja  (Supported Platforms)
• Python 3.8+
• Familiarity with basic vulnerability classes such as stack-based buffer overflows, type confusion, sign extension vulnerabilities, etc.
• Basic to intermediate Python experience highly recommended.
• Temporary Personal Binary Ninja licenses will be provided but if you are purchasing one we recommend the Commercial license as it provides the headless API

Learning Objectives

• Have a thorough grasp on the binary ninja python API
• Familiarity with many program analysis concepts and common challenges
• The ability to write sophisticated program analysis plugins unassisted
• An understanding of vulnerability primitives and methods of discovery
• A virtual machine running Ubuntu 20.04 or a OS which can run Binary Ninja  (Supported Platforms)
• Python 3.8+
• Familiarity with basic vulnerability classes such as stack-based buffer overflows, type confusion, sign extension vulnerabilities, etc.
• Basic to intermediate Python experience highly recommended.
• Temporary Personal Binary Ninja licenses will be provided but if you are purchasing one we recommend the Commercial license as it provides the headless API

Required Materials

• A virtual machine running Ubuntu 20.04 or a OS which can run Binary Ninja  (Supported Platforms)
• Python 3.8+
• Familiarity with basic vulnerability classes such as stack-based buffer overflows, type confusion, sign extension vulnerabilities, etc.
• Basic to intermediate Python experience highly recommended.
• Temporary Personal Binary Ninja licenses will be provided but if you are purchasing one we recommend the Commercial license as it provides the headless API

Description

Each day will run from 9AM to 6PM . There are two lectures each day, each lecture will be applied to two main lab exercises, an easy and hard exercise, with homework that will be reviewed the following day. 

Course agenda

Bio

Sophia d’Antoine is the founder of Margin Research, focusing on vulnerability research and program analysis. She has spoken at more than thirteen global security conferences worldwide including RECon Montreal, Blackhat, and CanSecWest on topics from automated exploitation, program analysis, machine learning, and hardware hacking. Her keynotes have included topics such as exploiting hardware CPU optimizations. Currently, She sits on the program committee for Usenix WiSec and have been on multiple peer review panels in the past. In the past, she has worked extensively on embedded devices and other unique architectures. Additionally, Sophia is the "Hacker in Residence" at NYU and enjoy assisting in hosting CTFs and other hacking competitions.

Her publications on automated exploitation, programmatic vulnerability discovery, and security focused compiler development are listed below. The basis for this is effort has been through static analysis, LLVM, and binary lifters, such as Binary Ninja.

Jordan Wiens used to play a lot of CTF, even winning some like DEF CON a handful of times but then they got hard and now he mostly likes to talk about them and make challenges. Professionally, he's been a network security engineer, vulnerability researcher, engineering manager, and for the last five years small business founder with two co-founders of Vector 35, makers of Binary Ninja.

He's given trainings over two decades across the academic, government, and commercial sectors on reverse engineering and vulnerability research and has presented at conferences like DEF CON, BlueHat, ShmooCon, Insomni'hack, SAS, and many others.