Winter School on Binary Analysis

From February 20-24, 2017, secUnity invites to its first winter school at Ruhr-Universität Bochum. This event is organized by the Chair for Systems Security (https://syssec.rub.de) and will focus on research topics related to software security, in particular binary analysis.

The secUnity Winter School on Binary Analysis provides the opportunity to Master and PhD students as well as young scholars to learn more about software security. The event will be a mix of lectures and hands-on exercises, allowing the students to learn how to find and abuse vulnerabilities in (binary) software and we will also review potential defenses. Furthermore, we offer a multifaceted program with exercises on the topics covered in the lectures.

Topics covered during the winter school include (among others):

  • Binary analysis techniques
  • Diversification
  • Control-Flow Integrity Attacks and Defenses
  • SMT Solving
  • Program Synthesis
  • ...

The registration fee for the winter school is 300 Euro for students and 600 Euro for participants from industry. This fee includes daily refreshments, lunch, a workshop on Wednesday, and social events.

A detailed schedule will be published by the end of December 2016, the general outline of the winter school is as follows:

To top

Registration

The school is open to qualified and motivated candidates. Master and PhD students, post-docs, and young researchers are encouraged to submit their application through the application page available at our registration page. Please provide an overview of your motivation to attend the event and also list your experience in the area of systems security.

Knowledge
We expect that the participants have some knowledge of x86/x64 assembly, we will not provide an introduction course on assembler and require a basic understanding of these topics. Furthermore, some familiarity with tools such as IDA, OllyDbg or x64dbg is helpful. To test your knowledge, we provide a small challenge that you should solve. Please analyze the provided binary executable and determine a correct solution for the input.

Application
Please apply and register via our registration page available at https://registration.crypto.ruhr-uni-bochum.de/conf/secunity_syssec17/until February 8, 2017 at latest. We process applications on a first-come, first-served basis and provide feedback on your application within one or two weeks. Given that we have a limited number of seats available, only a selected number of applicants will be allowed to register to the school.

Fee

Note that the registration fee for the event is 300 Euro in case you are accepted to the school. This amount includes daily refreshments, lunch, a workshop on Wednesday, and social events. For industry attendees, the registration fee is 600 Euro.

To top

Abstracts

Title: Embedded Binary Security I + II
The security of embedded devices is gaining an increasingly important place in the security panorama. With the drive of industry to make connected devices and IoT devices, the security of embedded systems are getting more critical. Some of these embedded devices are even being used to control critical systems, and successful exploitation of such embedded systems can affect the physical world and, as a result, can have dangerous consequences for societies. Despite their criticality, embedded systems appear to be equally as vulnerable to software attacks as most of the general purpose computers.
In this training, we look at various operating systems used in the embedded world. We look at their security features of them and discuss existing weaknesses in their design. In particular, we look at exploit mitigations in several Real-Time Operating Systems and how their weaknesses can compromise the security of embedded systems.
We then move forward and talk about one of the most commonly used embedded architecture: The ARM architecture. We look at calling convention in ARM and how exploitation is different in ARM architecture compared to Intel x86 architecture. We specifically focus on how to write exploits for ARM architecture. Finally, we will have our workshop, which based on what you learned, you start to write your exploit for ARM architecture.

Title: SMT 1 - Constraint solving for reverse engineers

As part of daily reverse engineering, questions arise about possible programme behaviours at certain code locations. For instance, given the preceding programme context, is it possible that a register holds a certain value? Another question is whether a conditional jump can be taken under certain circumstances. SMT solvers [1] are powerful tools that provide us with concrete answers to these questions.
Many binary analysis frameworks use SMT solvers in combination with symbolic execution [2] and taint analysis [2] for (semi-)automated program analysis. Examples for this are angr [3], Triton [4] and BitBlaze [5]. However, not much about the inner workings of SMT solvers is known in the reverse engineering community.
We will try to demystify SMT solvers and constraint solving to facilitate the manual interaction between the reverse engineer and the SMT solver to find solutions for one-off problems and to build custom purpose tools. For this, we introduce some theoretic foundations behind SMT solvers and provide concrete examples how to interact with them.

[1] www.usenix.org/system/files/conference/woot12/woot12-final26.pdf
[2] users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf
[3] angr.io
[4] triton.quarkslab.com
[5] bitblaze.cs.berkeley.edu

Title: SMT 2 + 3

You want to crack crypto? You want to find vulnerabilities and create exploits? Or do you enjoy working on code obfuscation and de-obfuscation?
With the right tools, this can be like a walk in the park. SMT solvers should be in everybody's toolbox because they can automate your hunt. Readily available solvers can be used very efficiently on a wide variety of problems: analyzing crypto, payload & ROP chain generation, automatic exploit generation, obfuscation & deobfuscation, optimization, triggering certain codepaths, and many more.
This training will be a hands-on introduction to SMT solving with a focus on real world exploitation and reverse engineering scenarios. We will be using SMT solvers to crack custom crypto, prove the correctness of deobfuscations and find easy-to-miss signedness bugs in C code. It will give you the knowledge needed to transform common problems into an SMT query that can then be solved by off-the-shelf SMT solvers.
You will need no prior experience with python or SMT solvers.

Title: Program Synthesis 1

Introduction to program synthesis:
* What is program synthesis?
* How does it work?
* What is the state-of-the art?
* Applications in the context of binary security

Title: Synthesising the semantics of obfuscated code (Program Synthesis 2)

The goal of program synthesis is to automatically find a program that satisfies a given specification. With access to an input-output oracle, program synthesis learns the oracle's semantics for a finite set of input-output examples. Applied to low-level programs, program synthesis can be used as a generic method for trace simplification.

This talk introduces a program synthesis approach based on Monte Carlo Tree Search (MCTS) that operates in the domain of bit-vector arithmetic. First, we discuss both, the strength and weaknesses of MCTS for this approach and potential enhancements. Then, its application to generic trace simplification will be outlined; we show how it is possible to learn the semantics of important sections in assembly traces that rely on virtual machine-based obfuscation and return-oriented programming (ROP) chains.

 

 

 

Accomodation

The hotel stay is not included in the registration fee.

You can find hotels in Bochum at different categories and prices.

To top

Travel Info

The winter school will take place on the campus of the Ruhr-Universität Bochum in building ID (see site plan of the university), which is home of the Horst Görtz Institute for IT-Security (HGI). The lectures will be held in room ID 04 / (445/471/459/401), there will be signs to guide your way. Further information how to reach Bochum can be found here, the following information should help you to find your way.

PLANE
You can reach Bochum via Düsseldorf International (DUS), Köln Bonn Airport (CGN) and Dortmund Airport (DTM) in reasonable time. DUS is not only the largest, but also the most easily accessed: there are direct connections between the airport and Bochum's main train station up to eight times per hour, and the journey only takes around 40 minutes. There is also a direct high-speed train connection from Frankfurt Airport (FRA) to Bochum (journey time is about two hours).

TRAIN / PUBLIC TRANSPORTATION

Bochum is well connected to the German high-speed train network. Bochum Central Station is served by ICE, IC, EC, regional, and suburban trains at a high frequency. From there, you can reach the university easily by taking the underground line U35 (Campus­Linie, direction Bochum Hustadt). For planning your journey please refer to the Deutsche Bahn AG.

CAR
Motorists can also easily reach Bochum via the dense network of motorways in Germany and especially in North Rhine-Westphalia. The quickest route is via the motorway junction Bochum/Witten, where the A43 and A44 meet. Simply take the exit Bochum-Querenburg, follow the signs “Ruhr-Universität” and then the (electronic) information boards. You can enter Lennershofstraße 140, 44801 Bochum in your GPS system: you will then pass by the Bochum University of Applied Sciences and then reach the building ID by following the road. Note that only a limited number of parking spots are available at the university. You can also try to enter the following street in your GPS system:
Ruhr-University Bochum, I-Nord-Straße, 44801 Bochum

To top

About Bochum

Bochum is located within the famous "Ruhr Area", Germany's former primary location for coal mining and steel industry. Although most coal mines have been closed, the hidden beauty of these old days has been preserved in many places.

Things to see in Bochum

  • Little walk: The Botanical Garden is located south of the Ruhr-University Bochum and shows a great variety of plants from all over the world. You can reach it in 5-10 minutes walk from the conference venue.
  • Socializing: The Bermudadreieck (Bermuda triangle) is a square in the center of Bochum literally crowded with theme bars and restaurants.
  • Mining history: The Deutsches Bergbau-Museum of Bochum is one of Germany's most popular museums and well known for its wide spread underground mine shaft.


Contact

If you have further questions, you can reach us at:

Dennis Tatang
Horst Görtz Institute for IT-Security
Ruhr-University Bochum, Germany
E-Mail: secunitynoSpam@rub.de

To top