Attend in-personat ADNEC Abu Dhabi
Date22-23 November 2021
Time09:00 to 17:00 GST/GMT+4
Keeping software free of vulnerabilities is a cat-and-mouse game, because of the multiple layers where security bugs can hide within the software stack of an application. Therefore we show techniques to discover bugs in both, source code, bytecode and native code, as needed in real life.
For the first part we’ll start with an introduction to the JVM platform and typical vulnerability types, then continue to learn about introspection technologies and tools to identify issues in source code and binaries. The range of techniques covers the range of assisted source code reading, scanning tools as well as ultrafast fuzzing. After identifying vulnerabilities we’ll also discuss strategies to fix the discovered holes.
The second part starts with presenting the threat model of the Android platform, and how Java coding can go wrong security-wise. Although we can reuse a couple of aspects and tools from the JVM part, there is a lot of discover when building the toolbox.
For both parts we will visit a large range of interesting CWE and CVE instances to direct the audience attention to relevant issues, and allow to learn evaluation how bug patterns can impact confidentiality, integrity and availability of your software.
You should be familiar with running tools from the command line, ideally in Linux. Also you should be familiar with a basic understanding of Java programming on both presented platforms.
A laptop capable of running Linux is required. You can also use WSL or Docker, if you have a Windows or Mac hardware. Make sure you have about 20G disk space available during the course. A disk image will be provided at the beginning of the training.
Marc has a 17-year record of CVE-classified Java bugs. He has spoken and conducted trainings at numerous conferences. In 2009, Marc released his “undx” tool, one of the first proof-of-concepts for a Dalvik decompilation infrastructure. In a past life, he worked on worked on omg.org's "CORBA success story" in banking.
This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.
This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email firstname.lastname@example.org
This class teaches you about the fundamental hardware mechanisms which all operating systems, virtualization systems, and firmware *must* interact with in order to run successfully on x86 hardware. This is taught in a *mostly* OS-agnostic way focusing on Intel-isms rather than OS-isms (albeit with using Windows as reinforcement, thanks to its excellent kernel-level debugging support.) This class also teaches you to be comfortable with Reading The Fun Manual (RTFM!) to give you self-sufficiency when seeking out the most accurate details of how things work.You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email email@example.com
This class teaches you how to disassemble binaries, read x86-64 assembly language, and debug black-box binaries in WinDbg and GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.
You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email firstname.lastname@example.org