Winter School on Binary Analysis

From February 20-24, 2017, secUnity invited to its first winter school at Ruhr-Universität Bochum. This event was organized by the Chair for Systems Security and focused on research topics related to software security, in particular binary analysis.

The secUnity Winter School on Binary Analysis organized by the Chair for Systems Security provides the opportunity to Master and PhD students as well as young scholars to learn more about software security. The event will be a mix of lectures and hands-on exercises, allowing the students to learn how to find and abuse vulnerabilities in (binary) software and we will also review potential defenses. Furthermore, we offer a multifaceted program with exercises on the topics covered in the lectures.

Topics covered during the winter school include (among others):

    • Binary analysis techniques   

    • Diversification   

    • Control-Flow Integrity Attacks and Defenses   

    • SMT Solving   

    • Program Synthesis   

    • ...


Date

20.02.2017 - 24.02.2017

 

Information on Summer School

Abstracts

Title: Embedded Binary Security I + II

The security of embedded devices is gaining an increasingly important place in the security panorama. With the drive of industry to make connected devices and IoT devices, the security of embedded systems are getting more critical. Some of these embedded devices are even being used to control critical systems, and successful exploitation of such embedded systems can affect the physical world and, as a result, can have dangerous consequences for societies. Despite their criticality, embedded systems appear to be equally as vulnerable to software attacks as most of the general purpose computers.
In this training, we look at various operating systems used in the embedded world. We look at their security features of them and discuss existing weaknesses in their design. In particular, we look at exploit mitigations in several Real-Time Operating Systems and how their weaknesses can compromise the security of embedded systems.
We then move forward and talk about one of the most commonly used embedded architecture: The ARM architecture. We look at calling convention in ARM and how exploitation is different in ARM architecture compared to Intel x86 architecture. We specifically focus on how to write exploits for ARM architecture. Finally, we will have our workshop, which based on what you learned, you start to write your exploit for ARM architecture.

 

Title: SMT 1 - Constraint solving for reverse engineers

As part of daily reverse engineering, questions arise about possible programme behaviours at certain code locations. For instance, given the preceding programme context, is it possible that a register holds a certain value? Another question is whether a conditional jump can be taken under certain circumstances. SMT solvers [1] are powerful tools that provide us with concrete answers to these questions.
Many binary analysis frameworks use SMT solvers in combination with symbolic execution [2] and taint analysis [2] for (semi-)automated program analysis. Examples for this are angr [3], Triton [4] and BitBlaze [5]. However, not much about the inner workings of SMT solvers is known in the reverse engineering community.
We will try to demystify SMT solvers and constraint solving to facilitate the manual interaction between the reverse engineer and the SMT solver to find solutions for one-off problems and to build custom purpose tools. For this, we introduce some theoretic foundations behind SMT solvers and provide concrete examples how to interact with them.

 

[1] www.usenix.org/system/files/conference/woot12/woot12-final26.pdf
[2] users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf
[3] angr.io
[4] triton.quarkslab.com
[5] bitblaze.cs.berkeley.edu

 

Title: SMT 2 + 3

You want to crack crypto? You want to find vulnerabilities and create exploits? Or do you enjoy working on code obfuscation and de-obfuscation?
With the right tools, this can be like a walk in the park. SMT solvers should be in everybody's toolbox because they can automate your hunt. Readily available solvers can be used very efficiently on a wide variety of problems: analyzing crypto, payload & ROP chain generation, automatic exploit generation, obfuscation & deobfuscation, optimization, triggering certain codepaths, and many more.
This training will be a hands-on introduction to SMT solving with a focus on real world exploitation and reverse engineering scenarios. We will be using SMT solvers to crack custom crypto, prove the correctness of deobfuscations and find easy-to-miss signedness bugs in C code. It will give you the knowledge needed to transform common problems into an SMT query that can then be solved by off-the-shelf SMT solvers.
You will need no prior experience with python or SMT solvers.

 

Title: Program Synthesis 1

Introduction to program synthesis:
* What is program synthesis?
* How does it work?
* What is the state-of-the art?
* Applications in the context of binary security

 

Title: Synthesising the semantics of obfuscated code (Program Synthesis 2)

The goal of program synthesis is to automatically find a program that satisfies a given specification. With access to an input-output oracle, program synthesis learns the oracle's semantics for a finite set of input-output examples. Applied to low-level programs, program synthesis can be used as a generic method for trace simplification.


This talk introduces a program synthesis approach based on Monte Carlo Tree Search (MCTS) that operates in the domain of bit-vector arithmetic. First, we discuss both, the strength and weaknesses of MCTS for this approach and potential enhancements. Then, its application to generic trace simplification will be outlined; we show how it is possible to learn the semantics of important sections in assembly traces that rely on virtual machine-based obfuscation and return-oriented programming (ROP) chains.

 

Fees

The registration fee for the winter school is 300 Euro for students and 600 Euro for participants from industry. This fee includes daily refreshments, lunch, a workshop on Wednesday, and social events.

For more information, see our WinterSchool page.

 

Accomodation

The hotel stay is not included in the registration fee.

You can find hotels in Bochum at different categories and prices.

 

Travel Info

The winter school will take place on the campus of the Ruhr-Universität Bochum in building ID (see site plan of the university), which is home of the Horst Görtz Institute for IT-Security (HGI). The lectures will be held in room ID 04 / (445/471/459/401), there will be signs to guide your way. Further information how to reach Bochum can be found here, the following information should help you to find your way.

PLANE
You can reach Bochum via Düsseldorf International (DUS), Köln Bonn Airport (CGN) and Dortmund Airport (DTM) in reasonable time. DUS is not only the largest, but also the most easily accessed: there are direct connections between the airport and Bochum's main train station up to eight times per hour, and the journey only takes around 40 minutes. There is also a direct high-speed train connection from Frankfurt Airport (FRA) to Bochum (journey time is about two hours).

TRAIN / PUBLIC TRANSPORTATION

Bochum is well connected to the German high-speed train network. Bochum Central Station is served by ICE, IC, EC, regional, and suburban trains at a high frequency. From there, you can reach the university easily by taking the underground line U35 (Campus­Linie, direction Bochum Hustadt). For planning your journey please refer to the Deutsche Bahn AG.

CAR

Motorists can also easily reach Bochum via the dense network of motorways in Germany and especially in North Rhine-Westphalia. The quickest route is via the motorway junction Bochum/Witten, where the A43 and A44 meet. Simply take the exit Bochum-Querenburg, follow the signs “Ruhr-Universität” and then the (electronic) information boards. You can enter Lennershofstraße 140, 44801 Bochum in your GPS system: you will then pass by the Bochum University of Applied Sciences and then reach the building ID by following the road. Note that only a limited number of parking spots are available at the university. You can also try to enter the following street in your GPS system:
Ruhr-University Bochum, I-Nord-Straße, 44801 Bochum

 

About Bochum

Bochum is located within the famous "Ruhr Area", Germany's former primary location for coal mining and steel industry. Although most coal mines have been closed, the hidden beauty of these old days has been preserved in many places.

 

Things to see in Bochum

  • Little walk: The Botanical Garden is located south of the Ruhr-University Bochum and shows a great variety of plants from all over the world. You can reach it in 5-10 minutes walk from the conference venue.
  • Socializing: The Bermudadreieck (Bermuda triangle) is a square in the center of Bochum literally crowded with theme bars and restaurants.
  • Mining history: The Deutsches Bergbau-Museum of Bochum is one of Germany's most popular museums and well known for its wide spread underground mine shaft.

 

Contact

If you have further questions, you can reach us at:

Dennis Tatang

Horst Görtz Institute for IT-Security

Ruhr-University Bochum, Germany

E-Mail: secunitynoSpam@rub.de