This four-day course trains students to do sophisticated program analysis using Binary Ninja and the Binary Ninja Python API for the purpose of vulnerability research with the goal of improving auditing processes, improving their ability to identify interesting code paths, and encoding bug primitives.
In the class, students will learn Binary Ninja inside and out by leveraging the Binary Ninja plugin architecture to identify vulnerabilities in a machine architecture-independent way. After taking this course students will have experience working with Binary Ninja to create powerful program analysis tools which can be used across architectures.
Dates of Course: November 29th through December 2nd, 2022
Location: On-Site in Arlington, VA. Details on sign up.
Registration Link
https://shop.binary.ninja/products/program-analysis-for-vulnerability-research-5-day-course
Topics Covered
- Using the UI, Reverse Engineering, Design Philosophy, Core Architecture (BN core arch/design)
- BV plugin development, Architecture plugin
- Normalization, IL Survey, BNIL ILs
- Undecidability, Program Correctness, Correctness with pointers, Formal Methods, Useful Binja Features, Jump Tables, SSA
- PHI nodes, Dominance Frontiers, and Data Sensitive Analysis
- Type Analysis, Constraint Solving, and Records, Lattice Theory, Sign Analysis, and Abstract Interpretation
- Constant Propagation, Fixed-Point Algorithms, Abusing Optimizations, and Flow-Sensitive Type Analysis
- Pointer Analysis, Abstract Interpretation, Interprocedural Analysis, Batch processing with Binja
- Pointers and Heap analysis
Learning Objectives
- Have a thorough grasp on the binary ninja python API
- Familiarity with many program analysis concepts and common challenges
- The ability to write sophisticated program analysis plugins unassisted
- An understanding of vulnerability primitives and methods of discovery
Required Materials
- A virtual machine running Ubuntu 20.04 or a OS which can run Binary Ninja (Supported Platforms)
- Python 3.8+
- Familiarity with basic vulnerability classes such as stack-based buffer overflows, type confusion, sign extension vulnerabilities, etc.
- Basic to intermediate Python experience highly recommended.
- Temporary Personal Binary Ninja licenses will be provided but if you are purchasing one we recommend the Commercial license as it provides the headless API
Schedule
Each day will run from 9AM to 6PM on either Discord or Zoom for remote classes and on-site for in person classes. There are two lectures each day, each lecture will be applied to two main lab exercises, an easy and hard exercise, with homework that will be reviewed the following day. All times are in EST.
Day 1
| 9AM - 11AM | Lab | Time for 1:1 questions and introductions |
| 11AM - 1PM | Lecture | Using the UI, Reverse Engineering, Design Philosophy, Core Architecture (BN core arch/design) |
| 1PM - 2PM | Break | |
| 2PM - 4PM | Lecture | Finish Core Architecture (BN core arch/design), BV plugin development, Architecture plugin |
| 4PM - 6PM | Lab | Time for 1:1 questions and assistance on labs and homework |
Day 2
| 9AM - 11AM | Lab | Time for 1:1 questions and assistance on labs and homework |
| 11AM - 1PM | Lecture | Normalization, IL Survey, BNIL ILs, Undecidability, Program Correctness |
| 1PM - 2PM | Break | |
| 2PM - 4PM | Lecture | Undecidability, Program Correctness, Correctness with pointers, Formal Methods, Useful Binja Features, Jump Tables, SSA |
| 4PM - 6PM | Lab | Time for 1:1 questions and assistance on labs and homework |
Day 3
| 9AM - 11AM | Lab | Time for 1:1 questions and assistance on labs and homework |
| 11AM - 1PM | Lecture | PHI nodes, Dominance Frontiers, and Data Sensitive Analysis Exercises |
| 1PM - 2PM | Break | |
| 2PM - 4PM | Lecture | Type Analysis, Constraint Solving, and Records, Lattice Theory, Sign Analysis, and Abstract Interpretation |
| 4PM - 6PM | Lab | Time for 1:1 questions and assistance on labs and homework |
Day 4
| 9AM - 11AM | Lab | Time for 1:1 questions and assistance on labs and homework |
| 11AM - 1PM | Lecture | Constant Propagation, Fixed-Point Algorithms, Abusing Optimizations, and Flow-Sensitive Type Analysis |
| 1PM - 2PM | Break | |
| 2PM - 4PM | Lecture | Pointer Analysis, Abstract Interpretation, Interprocedural Analysis, Batch processing with Binja |
| 4PM - 6PM | Lab | Time for 1:1 questions and assistance on labs and homework |
Day 5
(Condensed into Day 4 for our four day trainings)
| 9AM - 11AM | Lab | Time for 1:1 questions and assistance on labs and homework |
| 11AM - 1PM | Lecture | Heap Analysis, Large Exercise, Pointers, VirtualBox |
| 1PM - 2PM | Break | |
| 2PM - 4PM | Lecture | Final Topics, Class Chosen Topic, Completing Final Exercises |
| 4PM - 6PM | Lab | Time for 1:1 questions and assistance on labs and homework |
