Assured Exploitation training course at CanSecWest

Feb 17, 2010

Dino Dai Zovi and I are going to teach a two day training course at the CanSecWest conference in March of this year. Our course is titled Assured Exploitation and will focus on the advanced exploitation techniques required for developing state of the art exploits for Vista and Windows 7 systems.

Why do we feel that this course is necessary? Many security professionals have mastered stack overflows and heap spraying, but these techniques are no longer sufficient for developing exploits in 2010. Reliable exploitation on Vista and Windows 7 requires advanced techniques such as heap layout manipulation, return oriented programming and ASLR information leaks. In addition, robust exploitation necessitates repairing the heap and continuing execution without crashing the process. The goal of our Assured Exploitation course is to teach the principles behind these advanced techniques and give the students hands-on experience developing real-world exploits.

Here is a list of the topics that we indend to cover:

  • in-depth review of GS, ASLR, DEP, SafeSEH and SEHOP exploitation mitigations
  • heap implementation details and manipulation of the heap state (including Windows 7)
  • building primitives for heap layout control in new applications
  • bypassing ASLR through memory disclosure
  • browser plugin exploitation in Internet Explorer, Firefox and Chrome
  • return oriented programming and shellcode development
  • repairing the heap and achieving continuation of process execution after the payload is executed

The training will be based on a series of hands-on exercises that will incrementally guide the students through building their own exploits for the recent Aurora vulnerability, with capabilities far exceeding those of the publicly available samples. At the end of the course, the students will have the skills to reliably exploit Internet Explorer 8 on Windows 7 with both ASLR and DEP enabled.

To register for the course, please visit the CanSecWest website. We encourage you to register early because the class size is limited and prices are going up next month.