Course Schedule
A 4 day DOJO.
In-Person or Online attendance is available.
March 16 to 19 (Saturday and Tuesday)
Last updated January 20, 2024.
Course Abstract
This is the combination class that lets you take any of the material(!) from the x86-64 Assembly, x86-64 OS Internals, x86-64 Intel Firmware Attack & Defense, C/C++ Implementation Vulnerabilities Part 1, C/C++ Implementation Vulnerabilities Part 2, and RISC-V Assembly classes at your own pace, but with full instructor support.
Course Prerequisites
See the individual courses' prerequisites.
Course Learning Objectives
Learn the most common assembly instructions, which cover > 96%+ of all code found in most programs[1].
Learn about the 16 Intel x86-64 general purpose registers + RFLAGS.
Understand the at time confusing or counter-intuitive compiler-isms of both Microsoft Visual Studio, and GCC which lead to particular patterns in executables' assembly.
Learn to debug and analyze executables which you don't have the source code for, in both WinDbg and GDB.
Learning how to write C code and disassemble it to see what instructions were generated. But also learning how to write assembly to see how it behaves, or even raw bytes to see how the assembler and processor interprets it.
Being comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work.
Reverse engineer the black box Carnegie Mellon "Binary Bomb Lab", which has changed the lives of so many students (the instructor included!) This is a *major* hands-on reverse engineering exercise (which can take anywhere from 2 hours to 2 weeks!) which has been shared the world over by thousands of students. This gives you something substantive to chew on even after class to really reinforce your understanding and capability to read assembly.
————————————————————————————————————————
Understand how ring 0 (kernel) / ring 3 (userspace) privilege separation *really* works.
Understanding how to use CPUID to query the features available on your system, and how to read the Model Specific Registers (MSRs) to check which ones your OS has actually enabled.
Understand segmentation (and how it relates to privilege separation).
Understand interrupts (and how they pertain to system calls and debugging).
Understand system calls (and how they constitute a major attack surface of an OS).
Understand virtual memory and page table setup (and how it interacts with security mechanisms like XD, SMAP, and SMEP).
Understand how software and hardware breakpoints work.
Understand how port IO allows communication to legacy peripherals and VMWare's control channel.
Being comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work.
————————————————————————————————————————
Understand the original 16-bit "Real Mode" which the x86 CPU reset vector executes in.
Understand 16-bit segmentation & assembly.
Understand the evolution of Intel chipsets, and how to find the manual which corresponds to any given hardware.
Understand how firmware uses IO to configure Intel and 3rd party hardware at boot time.
Understand how firmware interacts with PCIe devices at boot time, both within the CPU/chipset, and 3rd party peripherals.
Understand the core purposes of PCIe Option ROMs, but also how they can be used by attackers.
Being capable of manually reading/writing the firmware-storage SPI flash through the register interface.
Understand the protection mechanisms for the SPI flash and how they can be bypassed.
Understand the protection mechanisms for System Management Mode how they can be bypassed.
Understand how Chipsec can be used to assess the security posture of a firmware for both attack and defense.
Understand how the ACPI S3 "sleep" power state can be used to attack systems.
Being comfortable with Reading The Fun Manual(!) to go seek out the most accurate details of how things work.
—————————————————————————————————————————
Learn to recognize the common programming errors that lead to (linear) stack/heap buffer overflows, (non-linear) out-of-bound writes, integer overflows/underflows, and signedness issues (e.g. bypassing sanity checks due to signed comparisons, or integer truncation/extension errors.)
Learn what options developers have in terms of prevention, detection, and mitigation for each vulnerability type.
Showing examples of exploitation of a subset of the example vulnerabilities, that might otherwise seem unexploitable.
—————————————————————————————————————————
Learn to recognize the common programming errors that lead to uninitialized data access, race conditions (double fetch, TOCTOU), use-after-free, type confusion, and information disclosure.
Learn what options developers have in terms of prevention, detection, and mitigation for each vulnerability type.
Showing examples of exploitation of a subset of the example vulnerabilities, that might otherwise seem unexploitable.
A *non-goal* is to teach the student how to exploit the vulnerabilities themselves. That will be covered in a future class. (Therefore this class's applicability stops at "secure development" or "vulnerability auditor", and doesn't extend to "exploitation engineer".)
—————————————————————————————————————————
Learn the RV32I base instruction set for 32-bit programs
Learn the RV64I base instruction set for 32-bit programs
Learn the "C" standard extension for compressed instruction encoding (16-bit encoding instead of 32-bit)
Learn the "M" standard extension for multiplication, division, and remainders
Learn about the 32 RISC-V general purpose registers + the Program Counter (PC)
Understand the at time confusing or counter-intuitive compiler-isms of GCC which lead to particular patterns in executables' assembly.
Learn to debug and analyze RISC-V executables which you don't have the source code for, in GDB.
Learning how to write C code and disassemble it to see what instructions were generated. But also learning how to write assembly to see how it behaves, or even raw bytes to see how the assembler and processor interprets it.
Being comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work.
Reverse engineer the black box Carnegie Mellon "Binary Bomb Lab", which has changed the lives of so many students (the instructor included!) This is a *major* hands-on reverse engineering exercise (which can take anywhere from 2 hours to 2 weeks!) which has been shared the world over by thousands of students. This gives you something substantive to chew on even after class to really reinforce your understanding and capability to read assembly.
One-of-a-kind Class Format!
This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.
Because we give you all the lecture and lab materials and videos after class, what you're really paying for is support from the instructor! So you'll be entitled to keep asking up to 20 questions after class, with 1-2 hour turnaround answers (after accounting for time-zone differences.) This lets you keep productively working through the material if you run out of time at the conference. If you'd like to learn more about the benefits of this style of class delivery, please read this blog post.
Course Agenda
You can find the agendas for the five classes that you can go through in this class on the pages for the x86-64 Assembly, x86-64 OS Internals, x86-64 Intel Firmware Attack & Defense, C/C++ Implementation Vulnerabilities Part 1, C/C++ Implementation Vulnerabilities Part 2, and RISC-V Assembly classes.
Hardware and Software Requirements
You can find the requirements for the five classes on the pages for the x86-64 Assembly, x86-64 OS Internals, x86-64 Intel Firmware Attack & Defense, C/C++ Implementation Vulnerabilities Part 1, C/C++ Implementation Vulnerabilities Part 2, and RISC-V Assembly. Depending on which material you'll be starting with, you may have significantly different requirements, so be sure to discuss your target topic areas with the instructor before class.
About the Instructor: Xeno Kovah
Xeno began leading Windows kernel-mode rootkit detection and defense research projects at MITRE in 2009, before moving into research on BIOS security in 2011. His team's first public talks started appearing in 2013, which led to a flurry of presentations on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore. And after presenting a firmware worm that could spread between Macs via Apple's EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals - everything from 3rd party GPUs to SecureBoot for monitors! He worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture - being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2.