Program Analysis for Vulnerability Research — Margin Research

Program Analysis for Vulnerability Research

This five-day course trains students to do sophisticated program analysis using Binary Ninja and the Binary Ninja Python API for the purpose of vulnerability research with the goal of improving auditing processes, improving their ability to identify interesting code paths, and encoding bug primitives.

Theory meets practice in this course brought to you by [Margin Research](margin.re) and [Vector 35](binary.ninja). This four-day course examines cutting-edge program analysis techniques and how they can be used to find bugs!

Uncover and improve on the logic behind compiler checks that have been finding errors in code for decades and implement them on binaries using Binary Ninja. Students will prototype binary analysis passes to find type confusion, buffer overflows, data-flow edge cases, and automate analysis at scale across hundreds of real world targets.

This thorough approach to binary analysis will leave students with a collection of scripts that can be applied across architectures to find real bugs, identify interesting code paths, and the ability to encode bug primitives both old and new! Plus, students will learn how to build a pipeline to discover those bugs automatically and integrate automated analysis into existing workflows. Maximize every advantage reverse engineering has to pioneer truly modern Program Analysis for Vulnerability Research.

Dates of Course: May 6th - 9th, 2024

Location: OffensiveCon, Berlin, Germany

Program Analysis for Vulnerability Discovery | OffensiveCon

Topics Covered

  • Using the UI, Reverse Engineering, Design Philosophy, Core Architecture (BN core arch/design)
  • BV plugin development, Architecture plugin
  • Normalization, IL Survey, BNIL ILs
  • Undecidability, Program Correctness, Correctness with pointers, Formal Methods, Useful Binja Features, Jump Tables, SSA
  • PHI nodes, Dominance Frontiers, and Data Sensitive Analysis
  • Type Analysis, Constraint Solving, and Records, Lattice Theory, Sign Analysis, and Abstract Interpretation
  • Constant Propagation, Fixed-Point Algorithms, Abusing Optimizations, and Flow-Sensitive Type Analysis
  • Pointer Analysis, Abstract Interpretation, Interprocedural Analysis, Batch processing with Binja
  • Pointers and Heap analysis

Learning Objectives

  • Have a thorough grasp on the binary ninja python API
  • Familiarity with many program analysis concepts and common challenges
  • The ability to write sophisticated program analysis plugins unassisted
  • An understanding of vulnerability primitives and methods of discovery

Required Materials

  • A virtual machine running Ubuntu 20.04 or a OS which can run Binary Ninja (Supported Platforms)
  • Python 3.8+
  • Familiarity with basic vulnerability classes such as stack-based buffer overflows, type confusion, sign extension vulnerabilities, etc.
  • Basic to intermediate Python experience highly recommended.
  • Temporary Personal Binary Ninja licenses will be provided but if you are purchasing one we recommend the Commercial license as it provides the headless API

Schedule

Each day will run from 9AM to 6PM on either Discord or Zoom for remote classes and on-site for in person classes. There are two lectures each day, each lecture will be applied to two main lab exercises, an easy and hard exercise, with homework that will be reviewed the following day. All times are in EST.

Day 1

9AM - 11AM Lab Time for 1:1 questions and introductions
11AM - 1PM Lecture Using the UI, Reverse Engineering, Design Philosophy, Core Architecture (BN core arch/design)
1PM - 2PM Break
2PM - 4PM Lecture Finish Core Architecture (BN core arch/design), BV plugin development, Architecture plugin
4PM - 6PM Lab Time for 1:1 questions and assistance on labs and homework

Day 2

9AM - 11AM Lab Time for 1:1 questions and assistance on labs and homework
11AM - 1PM Lecture Normalization, IL Survey, BNIL ILs, Undecidability, Program Correctness
1PM - 2PM Break
2PM - 4PM Lecture Undecidability, Program Correctness, Correctness with pointers, Formal Methods, Useful Binja Features, Jump Tables, SSA
4PM - 6PM Lab Time for 1:1 questions and assistance on labs and homework

Day 3

9AM - 11AM Lab Time for 1:1 questions and assistance on labs and homework
11AM - 1PM Lecture PHI nodes, Dominance Frontiers, and Data Sensitive Analysis Exercises
1PM - 2PM Break
2PM - 4PM Lecture Type Analysis, Constraint Solving, and Records, Lattice Theory, Sign Analysis, and Abstract Interpretation
4PM - 6PM Lab Time for 1:1 questions and assistance on labs and homework

Day 4

9AM - 11AM Lab Time for 1:1 questions and assistance on labs and homework
11AM - 1PM Lecture Constant Propagation, Fixed-Point Algorithms, Abusing Optimizations, and Flow-Sensitive Type Analysis
1PM - 2PM Break
2PM - 4PM Lecture Pointer Analysis, Abstract Interpretation, Interprocedural Analysis, Batch processing with Binja
4PM - 6PM Lab Time for 1:1 questions and assistance on labs and homework

Optional Material

9AM - 11AM Lab Time for 1:1 questions and assistance on labs and homework
11AM - 1PM Lecture Heap Analysis, Large Exercise, Pointers, VirtualBox
1PM - 2PM Break
2PM - 4PM Lecture Final Topics, Class Chosen Topic, Completing Final Exercises
4PM - 6PM Lab Time for 1:1 questions and assistance on labs and homework
arrow-up icon