Workshops

Cross-platform reversing with Frida

Speaker: Ole André Vadla Ravnås

Frida is a scriptable dynamic binary instrumentation toolkit aiming to dramatically shorten the development cycle of dynamic analysis and reverse-engineering tools. It also comes with some CLI tools built on top of its APIs. Written in portable C, released under a commercially friendly OSS license, with language bindings for Python, Node.js, and more, it's a tool of trade to deal with dynamic instrumentation of binaries on all current platforms (Windows, Mac, Linux, iOS, Android, and QNX).
This workshop is for attendees who would like to get up to speed on the state-of-the-art in dynamic instrumentation on both desktop and mobile. We will start out with an intro to Frida's APIs and CLI tools, and then walk you through how to build a reversing tool from scratch.

Requirements for the workshop participants:

2-3 hours
Knowledge of the English language
It's great if you bring a laptop running Windows, Mac or Linux, and optionally also a jailbroken/rooted iOS or Android device

Practical exploitation of AVR MC-based devices

Speakers: Alexander Bolshev, Boris Ryutin

Lots of modern devices are based on AVM microcontrollers, from amateur Arduino projects to IoT, automobile subsystems, and industrial controllers. This workshop is an attempt to sum up the bulk of AVR firmware buffer overflow exploitation experience.
The Internet has plenty of relevant info, but there is still no practical, top-to-bottom guide on the topic.
We will explain the specifics of reverse-engineering AVR-based firmwares, talk about the features of Harvard architecture, and discuss existing AVR exploitation tools. We will talk about ROP chain building methods and how radare2 can facilitate the task. We will also describe the techniques of post-exploitation and persisting in the firmware.

Workshop plan:

Part 1. AVR 101

Intro
Harvard architecture
AVR MC features
Intro to AVR assembler
AVR bootloaders
Tools for developing, debugging, and operating AVR

Part 2. Pre-exploitation

First steps
How to get the firmware
A few words about chip reversing
Searching for vulnerabilities: fuzzing and static analysis
libc AVR
What is Watchdog?
Examples and exercise

Part 3. Exploitation

Basics
Types of exploitable vulnerabilities
Sources of ROP gadgets
Building ROP chains
Examples and exercise

Part 4. Post-exploitation

Persisting on the system
Examples

The hands-on exercise will utilize an Atmel Studio emulator and Arduino chips.

Requirements for the workshop participants

3 hours
Knowledge of the Russian language
radare2 or IDA Pro installed
Atmel Studio environment (we will give out Flash drives with the installation kit)
Laptop
Micro-USB cable

Enlarge your Burp, or How to stop fearing Javadocs

Speakers: Ivan Yolkin, Igor Bulatenko

A lot of people use vulnerability scanners without understanding how they work, and, consequently, they often get suboptimal results. And if the scanner throws a false positive or, on the contrary, fails to find vulnerabilities which can easily be discovered manually, most penetration testers just deal with it or use several scanners. Burp Suite allows writing custom plugins, so you can correct a lot of its flaws on your own. This workshop will explain the main principles of developing plugins and teach which techniques are worth using in certain cases and why.
The theoretical part will be enhanced by practical training. We will show development in two languages: Python and Java, and we will pay attention to the major differences and benefits of each language with respect to Burp Suite. After the workshop, you will not fear Javadoc API descriptions anymore.

Requirements for the workshop participants

3-4 hours
Knowledge of the Russian language
Mandatory: computer, Burp Suite Professional. The free version of Burp Suite does not include the vulnerability scanner, and customizing it is what the workshop is about
Minimal knowledge of Python or Java
Java development environment (Eclipse, IntelliJ IDEA), JDK 1.7/1.8. Recommended even if you’ve never written code in Java before. It isn’t hard, and we will show you the benefits of Java at the workshop

«Practical object-oriented code reverse engineering»

Speakers: Alexander Matrosov, Eugene Rodionov

In this workshop the authors will address the problem of reverse engineering complex threats developed using object-oriented programming. Analysis of such malware requires different approaches as opposed to reversing malware developed using procedural programming languages.
The workshop starts with introduction into object-oriented code reverse engineering: the authors will explain the peculiarities of object-oriented code layout and approaches to its analysis. Then they will demonstrate use of various tools and techniques employed in the context of analysis object-oriented code based on examples of malware used in the recent high-profile targeted attacks: Animal Farm, Sednit, Equation, Duqu 2. The workshop also covers such topic as distributed C++ malware analysis in a clustered environment using high-level intermediate representation. The authors will consider the examples written in C++ and compiled with MS Visual C++.

Topics

understanding C++ code generation and its identification on assembly language representation: types layout, inheritance and polymorphism implementation; leveraging RTTI information
differences
static analysis approaches and tools to reconstruct object-oriented types
automating C++ code reverse engineering using IDApython and Hex-Rays Decompiler SDK
analysis of malware with object-oriented architecture: Animal Farm, Sednit, Equation, Duqu 2
scaling IDA Pro and Hex-Rays Decompiler for distributed malware analysis in a clustered environment

Participants will receive

understanding of object-oriented and position independent code with respect to reverse engineering
practical experience of using IDA Pro and Hex-Rays Decompiler for reconstructing complex data types
basics of developing plugins for Hex-Rays Decompiler
practical experience of complex threat analysis: Animal Farm malware, Sednit, Equation, Duqu 2 and etc.

Requirements for the workshop participants

3-4 hours
installed version of Hex-Rays IDA Pro with Decompiler
understanding malware reverse engineering approaches
development experience on MS Visual C++ and Python v2.7

«On the way to (wrong) anonymity. Basic techniques of digital contraception and private data hygiene.»

Speaker: ValdikSS

Currently there are all sorts of tools that enable anonymity and confidentiality in the net, but that does not mean that everybody get how exactly they work so as to protect themselves entirely. It’s not enough to just install software, you should also block all possible sources of information leakage.

Within this workshop we’ll cover the aspects of maintaining anonymity in the Internet, importance of data privacy, (non-)obvious up-to-date ways of user identification, both technical and social, consider why this ‘I’ve-got-nothing-to-hide’ approach can harm others.

Purpose of this workshop is to show and block channels of data leakage on the entire OSI model.

We’ll tell you about:

Mobile device identification via MAC-address in Wi-Fi networks, taking as an example API getshopster.com.
Determining operating system version based on particularities of TCP stack realization.
Correct OS settings in VPN-Only mode and the dangers hidden beneath current Windows versions.
Inverse anonymity via social networks and data leakage via application software (Skype, Office, PDF)
Interesting ways of implementing DHCP and IPv6
NAT is not a Firewall

We’ll teach you:

How to configure standard tools of anonymous and confidential Internet surfing with respect to OS version
How and which special tools you should use in this or that situation.
Confidential communication while transferring files with PGP using GnuPG as an example.
Fighting browser tracking, remote local addresses scanning.

Requirements for participants:

2-3 hours
You should know Russian
Windows / Mac OS / Linux laptop; Android, iOS smartphone

Stay tuned for updates!