Practical ARM Exploitation
Practical ARM Exploitation is the first public course of its kind. Created by Stephen C. Lawler and Stephen A. Ridley, it sold out at its debut at CanSecWest 2012 and at all public offerings of the course since (including all 4 years at Black Hat Las Vegas). It has been taught internationally (both publicly and privately) in a handful of countries. It continues to be the go-to training for understanding software exploitation and reverse engineering on ARM platforms.
The course even received recognition in the broader technology community at ARM TechCon 2012 (one of the largest semiconductor expos in the world) and on NPR in 2012. |
Next Classes:
To Be Announced
Sign up for our newsletter! Subscribe for updates on this course.
|
This course debuted to a Sold Out class at CanSecWest 2012 and Black Hat 2012 and has sold out at every public offering since (Black Hat 2013, Black Hat 2015, et al )!
WHERE THIS TRAINING HAS BEEN TAUGHT (PUBLICLY & PRIVATELY)...
Overview:
The purpose of this 4-Day course is to introduce students with prior basic exploitation experience (on other architectures) to “real world” exploitation scenarios on the ARM processor architecture. The reality is that exploitation these days is harder and a bit more nuanced than it was in the past with the advent of protection mechanisms like XN, ASLR, stack cookies, etc. As such, this course is called “practical” because it aims to teach exploitation on ARM under the real-world circumstances in which the exploit developer will encounter (and have to circumvent) these protection mechanisms. The course materials focus on advanced exploitation topics (circumventing protection mechanisms) using Linux as the platform as a basis to learn the ARM architecture but with the obvious applications being platforms running on mobile phones, tablets, embedded devices, etc.
Our hope is that students with some previous exploitation experience go from knowing nothing about ARM on the first day to exploiting custom heap implementation (bypassing ASLR, NX) using their hand-built ROP connect-back-shell payload on the the last day.
The purpose of this 4-Day course is to introduce students with prior basic exploitation experience (on other architectures) to “real world” exploitation scenarios on the ARM processor architecture. The reality is that exploitation these days is harder and a bit more nuanced than it was in the past with the advent of protection mechanisms like XN, ASLR, stack cookies, etc. As such, this course is called “practical” because it aims to teach exploitation on ARM under the real-world circumstances in which the exploit developer will encounter (and have to circumvent) these protection mechanisms. The course materials focus on advanced exploitation topics (circumventing protection mechanisms) using Linux as the platform as a basis to learn the ARM architecture but with the obvious applications being platforms running on mobile phones, tablets, embedded devices, etc.
Our hope is that students with some previous exploitation experience go from knowing nothing about ARM on the first day to exploiting custom heap implementation (bypassing ASLR, NX) using their hand-built ROP connect-back-shell payload on the the last day.
Details:
Length: 4 days
Format: Lecture and Lab (interleaved 1-to-1)
Dates & Location:
Length: 4 days
Format: Lecture and Lab (interleaved 1-to-1)
Dates & Location:
Sold out to 30+ students at Blackhat 2016 for the fourth year!
Sample Course Material
Sample of the Lab Manual
![]()
|
Sample Slide Deck "ROP on ARM" (deck 8 of 18)
125 pages |
Who Should Attend:
Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.
Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.
What To Bring:
What Will Be Provided:
Participant Skillset:
Students taking Practical ARM Exploitation should have an intermediate software exploitation background on another architecture (such as x86). They should have hands-on familiarity with the following concepts:
- A laptop (running their favorite OS) capable of connecting to wired and wireless networks
- An installed valid VMWare Player, Workstation or Fusion (freeware is sufficient)
- An installed copy of IDA Standard (freeware is also sufficient)
- An SSH/Telnet client to access the hosted QEMU images
What Will Be Provided:
- 100+ page coil bound lab manual
- Access to the embedded systems (targets), and tools, that comprise the entire class environment
- Undoubtedly some Xipiter swag of some kind ;-)
Participant Skillset:
Students taking Practical ARM Exploitation should have an intermediate software exploitation background on another architecture (such as x86). They should have hands-on familiarity with the following concepts:
- Exploitation of stack overflows
- Exploitation of heap overflows
- Basic experience with IDA
- Basic experience with a debugger
- Cursory knowledge of Python or some equivalent high-level scripting language (Java, Ruby, etc)
- C++ and C coding experience
Class Syllabus:
Day 1: Laying the Ground Work (with an eye to exploitation)
Slide Deck: "Intro"
Instructor Bios, Course Outline/Schedule, Course Goals
Slide Deck: "Introduction to the ARM Architecture"
Architecture Summary/Layout, Instructions/Registers, Instructions Modes, nuances
Lab: "Basics 1":"GDB"
Use GDB to debug/modify a faulty ARM app, rudimentary code injection.
Lab: "Basics 1B": "IDA"
Use IDA Pro to get familiar with ARM-isms: calling convention, IDA's ARM quirks.
Lab: "Basics 2":"Spotting Vulns in Source"
Students audit some little code snippets. (Student skills baseline/assessment tool).
Slide Deck: "Tools and the Lab Environment"
Intro to the QEMU ARM setup, intro to the exercises, intro to custom tools to assist with labs.)
Lab: "Basics 3": "IDA and GDB tag-team"
Use IDA and GDB in tandem to comprehend application flow subvert the app.
Lab: "Basics 4"
Trace through ARM app (dealing with ARM-isms: calling conventions, parameters) to reverse engineer and subvert a blackbox password app with embedded crypto.
Slide Deck: Shellcoding, ELFs, Dynamic Linking
Review of dynamic linking in ELFs. Intro to authoring ARM shellcode
Lab: "Basics 5": "Shellcoding"
Students modify assembly code stub, assemble it, and extract the shellcode to be loaded into an "loader" app.
Slide Deck: "Stack Overflows"
Basics of Stack Overflows (NOP sleds, bouncepoints, etc). Intro to defensive countermeasures: stack cookies, and subverting with "ROP-lite" return-to-libc. Finding bouncepoints on ARM. Nuances of stack overflows on ARM. The rediculousness of NOP sleds...
Lab: "Simple Stack Overflow"
Find and exploit a stack overflow bug in a vulnerable app. Students modify a "test harness" that both triggers the vulnerabilty and injects the payload. Modification of the harness with apppropriate addresses demonstrates comprehension.
Day 2: Basic to Intermediate Techniques
Review yesterday afternoon: Simple Stack Overflow walkthrough again.
Slide Deck: "Stack Overflows and Ret2Libc"
Introduce Non executable stack (XN)" and how to subvert it with Return-to-Text or commonly inaccurately referred to as (Return-to-LibC" or as we call it: "ROP Lite". Students get stepped through a vulnerability to see how this works step-by-step. (We come back to the nuances of ROP gadget finding later in the course)
Lab: "Simple Stack Overflow: XN Stack"
Using a "test harness" containing gadgets we give to the student (expecting them to just accept them for now until we come back to go into ROP-gadget finding in more detail later) to find and exploit a XN stack app by returning to mprotect()
Slide Deck: "Advanced Stack Overflows"
Introduction to XN, ASLR, and Stack cookies on on ARM. Discuss and see examples of ways to subvert stack cookies. (overwriting __stack_chk_guard, info disclosure bug, partial/full pointer overwrites, exception-handler overwrites)
Lab: "Advanced Stack XN"
Students exploit network based service that uses XN and Stack Cookies using partial pointer overwrites and ROP-Lite techniques
Slide Deck: "ROP"
Discuss reason for ROP (Code signing, ASLR, cookies). techniques/tools for manually finding gadgets manually on ARM. A walkthrough of useful gadgets found on our target. Structure of Gadgets"Chaining versus non-Chaining gadgets". Some ROP tricks/nuances on ARM.
Lab: "Custom ROP simplified"
Students find and exploit a vulnerable application by building a custom payload by stringing together a bunch of ROP gadgets (found for them by the instructors on the target).
Slide Deck: "ROP" (go through this as refresher same as above)
Lab: "Custom ROP with full root shell"
Students exploit a vulnerable application by handcrafting a ROP payload (with given gadgets) to obtain a full rootshell on the host.
Day 3 & 4: Intermediate to Advanced Techniques
Slide Deck: "Basic Heaps"
Intro to Heap Overflows on ARM: How stuff goes wrong, grooming/feng-shui-ing, etc. examining a toy heap implementation, TCMalloc's thread-cache freelist, and ways we can exploit all of these.
Lab: "Simple Heap Unlink"
Student will exploit a contrived network server, associating "protocol" events with heap events. Students will groom the target and exploit it with provided payload.
Slide Deck: "More Heaps"
More on heap exploitation. Singly Linked List (LIFO) exploitation. Review of Heap Overflow mitigations, taking a closer look at TCMalloc.
Lab: "Simple Heap (WMW) Write Me Where"
Student will exploit a contrived network server (this time that uses TCMalloc), associating "protocol" events with heap events. Students will groom the target and exploit it with a payload they must modify.
Slide Deck: "Application Level Heap Attacks"
Introduce application level exploitation: Techniques for investigating these kinds of vulnerabilities. Exploiting VTable overwrites, partial/full pointer overwrites.
Lab: "MultiHeap"
Student will locate and trigger a heap overflow in a custom heap implementation. Student will use heapspray and VTable overwrites to successfully exploit the application.
Slide Deck: "Stack Flipping"
Combining concepts introduced earlier (XN, ROP, and heap overflows) students will be introduced and shown how to evade XN by "flipping" the call stack into forged stack frames on the heap. Students will also be introduced to techniques and "gotchas" around finding "pivots" and nuances about ARM that make this more interesting.
Lab: "MultiHeap XN"
Students will use a heapspray or similar technique to overwrite a C++ object to create a fake vtable entry that redirects the stack pointer into the heap...executing their ROP payload to get a shell.
Slide Deck: "Defeating ASLR"
Students will be introduced to ASLR and how it is implemented as well as many of the nuances of how to defeat ASLR (infoleaks, developer debug code, RPC/RMI leaks, predictable ASLR PRNG, uninitialized mem, JIT, etc).
Lab: "MultiHeap XN ASLR"
Students will find and exploit an information disclosure vulnerability to remotely determine the location of libc and successfully craft (modify a given) payload to successfully evade XN, ASLR, and obtain a connectback shell into the owned application.
Slide Deck: "Conclusions - Closing”
Day 1: Laying the Ground Work (with an eye to exploitation)
Slide Deck: "Intro"
Instructor Bios, Course Outline/Schedule, Course Goals
Slide Deck: "Introduction to the ARM Architecture"
Architecture Summary/Layout, Instructions/Registers, Instructions Modes, nuances
Lab: "Basics 1":"GDB"
Use GDB to debug/modify a faulty ARM app, rudimentary code injection.
Lab: "Basics 1B": "IDA"
Use IDA Pro to get familiar with ARM-isms: calling convention, IDA's ARM quirks.
Lab: "Basics 2":"Spotting Vulns in Source"
Students audit some little code snippets. (Student skills baseline/assessment tool).
Slide Deck: "Tools and the Lab Environment"
Intro to the QEMU ARM setup, intro to the exercises, intro to custom tools to assist with labs.)
Lab: "Basics 3": "IDA and GDB tag-team"
Use IDA and GDB in tandem to comprehend application flow subvert the app.
Lab: "Basics 4"
Trace through ARM app (dealing with ARM-isms: calling conventions, parameters) to reverse engineer and subvert a blackbox password app with embedded crypto.
Slide Deck: Shellcoding, ELFs, Dynamic Linking
Review of dynamic linking in ELFs. Intro to authoring ARM shellcode
Lab: "Basics 5": "Shellcoding"
Students modify assembly code stub, assemble it, and extract the shellcode to be loaded into an "loader" app.
Slide Deck: "Stack Overflows"
Basics of Stack Overflows (NOP sleds, bouncepoints, etc). Intro to defensive countermeasures: stack cookies, and subverting with "ROP-lite" return-to-libc. Finding bouncepoints on ARM. Nuances of stack overflows on ARM. The rediculousness of NOP sleds...
Lab: "Simple Stack Overflow"
Find and exploit a stack overflow bug in a vulnerable app. Students modify a "test harness" that both triggers the vulnerabilty and injects the payload. Modification of the harness with apppropriate addresses demonstrates comprehension.
Day 2: Basic to Intermediate Techniques
Review yesterday afternoon: Simple Stack Overflow walkthrough again.
Slide Deck: "Stack Overflows and Ret2Libc"
Introduce Non executable stack (XN)" and how to subvert it with Return-to-Text or commonly inaccurately referred to as (Return-to-LibC" or as we call it: "ROP Lite". Students get stepped through a vulnerability to see how this works step-by-step. (We come back to the nuances of ROP gadget finding later in the course)
Lab: "Simple Stack Overflow: XN Stack"
Using a "test harness" containing gadgets we give to the student (expecting them to just accept them for now until we come back to go into ROP-gadget finding in more detail later) to find and exploit a XN stack app by returning to mprotect()
Slide Deck: "Advanced Stack Overflows"
Introduction to XN, ASLR, and Stack cookies on on ARM. Discuss and see examples of ways to subvert stack cookies. (overwriting __stack_chk_guard, info disclosure bug, partial/full pointer overwrites, exception-handler overwrites)
Lab: "Advanced Stack XN"
Students exploit network based service that uses XN and Stack Cookies using partial pointer overwrites and ROP-Lite techniques
Slide Deck: "ROP"
Discuss reason for ROP (Code signing, ASLR, cookies). techniques/tools for manually finding gadgets manually on ARM. A walkthrough of useful gadgets found on our target. Structure of Gadgets"Chaining versus non-Chaining gadgets". Some ROP tricks/nuances on ARM.
Lab: "Custom ROP simplified"
Students find and exploit a vulnerable application by building a custom payload by stringing together a bunch of ROP gadgets (found for them by the instructors on the target).
Slide Deck: "ROP" (go through this as refresher same as above)
Lab: "Custom ROP with full root shell"
Students exploit a vulnerable application by handcrafting a ROP payload (with given gadgets) to obtain a full rootshell on the host.
Day 3 & 4: Intermediate to Advanced Techniques
Slide Deck: "Basic Heaps"
Intro to Heap Overflows on ARM: How stuff goes wrong, grooming/feng-shui-ing, etc. examining a toy heap implementation, TCMalloc's thread-cache freelist, and ways we can exploit all of these.
Lab: "Simple Heap Unlink"
Student will exploit a contrived network server, associating "protocol" events with heap events. Students will groom the target and exploit it with provided payload.
Slide Deck: "More Heaps"
More on heap exploitation. Singly Linked List (LIFO) exploitation. Review of Heap Overflow mitigations, taking a closer look at TCMalloc.
Lab: "Simple Heap (WMW) Write Me Where"
Student will exploit a contrived network server (this time that uses TCMalloc), associating "protocol" events with heap events. Students will groom the target and exploit it with a payload they must modify.
Slide Deck: "Application Level Heap Attacks"
Introduce application level exploitation: Techniques for investigating these kinds of vulnerabilities. Exploiting VTable overwrites, partial/full pointer overwrites.
Lab: "MultiHeap"
Student will locate and trigger a heap overflow in a custom heap implementation. Student will use heapspray and VTable overwrites to successfully exploit the application.
Slide Deck: "Stack Flipping"
Combining concepts introduced earlier (XN, ROP, and heap overflows) students will be introduced and shown how to evade XN by "flipping" the call stack into forged stack frames on the heap. Students will also be introduced to techniques and "gotchas" around finding "pivots" and nuances about ARM that make this more interesting.
Lab: "MultiHeap XN"
Students will use a heapspray or similar technique to overwrite a C++ object to create a fake vtable entry that redirects the stack pointer into the heap...executing their ROP payload to get a shell.
Slide Deck: "Defeating ASLR"
Students will be introduced to ASLR and how it is implemented as well as many of the nuances of how to defeat ASLR (infoleaks, developer debug code, RPC/RMI leaks, predictable ASLR PRNG, uninitialized mem, JIT, etc).
Lab: "MultiHeap XN ASLR"
Students will find and exploit an information disclosure vulnerability to remotely determine the location of libc and successfully craft (modify a given) payload to successfully evade XN, ASLR, and obtain a connectback shell into the owned application.
Slide Deck: "Conclusions - Closing”