This 4 day course is designed to provide students with both an overview of the current state of the browser attack surface and an in-depth understanding of advanced vulnerability and exploitation topics. Attendees will be immersed in hands-on exercises that impart valuable skills including static and dynamic reverse engineering, zero-day vulnerability discovery, and advanced exploitation of widely deployed browsers such as Google Chrome.

Taught by Senior members of the Exodus Intelligence Browser Research Team, this course provides students with direct access to our renowned professionals in a setting conducive to individual interactions.

Emphasis

Hands on with privilege escalation techniques within the JavaScript implementations, JIT optimizers and rendering components.

Prerequisites

• Computer with the ability to run a VirtualBox image (x64, recommended 8GB+ memory)
• Prior experience in vulnerability research, but not necessarily with browsers.

Course Information

Attendance will be limited to 18 students per course.

Cost: $5000 USD per attendee

Dates:  July 15 – 18, 2024

Location:  Washington, D.C.

Syllabus

• JavaScript Crash Course
• Browsers Overview
  • Architecture
  • Renderer
  • Sandbox
• Deep Dive into JavaScript Engines and JIT Compilation
  • Detailed understanding of JavaScript engines and JIT compilation
  • Differences between major JavaScript engines (V8, SpiderMonkey, JavaScriptCore)
• Introduction to Browser Exploitation
  • Technical aspects and techniques of browser exploitation
  • Focus on JavaScript engine and JIT vulnerabilities
• Chrome ArrayShift case study
• JIT Compilers in depth
  • Chrome/V8 Turbofan
  • Firefox/SpiderMonkey Ion
  • Safari/JavaScriptCore DFG/FTL
• Types of Arrays
• v8 case study
  • Object in-memory layout
  • Garbage collection
• Running shellcode
  • Common avenues
  • Mitigations
• Browser Fuzzing and Bug Hunting
  • Introduction to fuzzing
  • Pros and cons of fuzzing
  • Fuzzing techniques for browsers
  • “Smarter” fuzzing
• Current landscape
• Hands-on exercises throughout the course
  • Understanding the environment and getting up to speed
  • Analysis and exploitation of a vulnerability

This 4 day course is designed to provide students with both an overview of the Android attack surface and an in-depth understanding of advanced vulnerability and exploitation topics. Attendees will be immersed in hands-on exercises that impart valuable skills including static and dynamic reverse engineering, zero-day vulnerability discovery, binary instrumentation, and advanced exploitation of widely deployed mobile platforms.

Taught by Senior members of the Exodus Intelligence Mobile Research Team, this course provides students with direct access to our renowned professionals in a setting conducive to individual interactions.

Emphasis

Hands on with privilege escalation techniques within the Android Kernel, mitigations and execution migration issues with a focus on MediaTek chipsets.

Prerequisites

• Computer with the ability to run a VirtualBox image (x64, recommended 8GB+ memory)
• Some familiarity with: IDA Pro, Python, C/C++.
• ARM assembly fluency strongly recommended.
• Installed and usable copy of IDA Pro 6.1+, VirtualBox, Python.

Course Information

Attendance will be limited to 12 students per course.

Cost: $5000 USD per attendee

Dates:  July 15 – 18, 2024

Location:  Washington, D.C.

Syllabus

Android Kernel

• Process Management
  • Important structures
  • Memory Management
• Kernel Synchronization
• Memory Management
  • Virtual memory
  • Memory allocators
• Debugging Environment
  • Build the kernel
  • Boot and Root the kernel
  • Kernel debugging
• Samsung Knox/RKP
• SELinux
• Type of kernel vulnerabilities
  • Exploitation primitives
  • Kernel vulnerabilities overview
  • Heap overflows, use-after-free, info leakage
• Double-free vulnerability (radio)
  
  • Exploitation – convert the double free into a use-after-free of a struct page
• Double-free vulnerability (untrusted_app)
  • Vulnerability overview
  • Technique 1: type confusion to obtain write access to globally shared memory
  • Technique 2: UaF that can lead to arbitrary RW in kernel memory

Mediatek / Exynos baseband

• Introduction
  • Exynos baseband overview
  • Mediatek baseband overview
• Environment
• Previous research
• Analysis of the modem
• Emulation / Fuzzing
• Rogue base station
• Secure boot
• Mediatek boot rom vulnerability
  • Vulnerability overview
  • Exploitation
  • Using brom exploit to patch the tee
• Baseband debugger
  • Write the modem physical memory from EL1

This course introduces vulnerability analysis and research with a focus on Ndays. We start with understanding security risks and discuss industry-standard metrics such as CVSS, CWE, and Mitre Attack. Next, we explore the outcome of what a detailed analysis of a CVE contains including vulnerability types, attack vectors, source and binary code analysis, exploitation, and detection and mitigation guidance. In particular, we shall discuss how the efficacy of high-fidelity detection schemes is predicated on gaining a thorough understanding of the vulnerability and exploitation avenues.

Next, we look at the basics of reversing by introducing tools such as debuggers and disassemblers. We look at various bug classes and talk about determining risk just from the title and metadata of a CVE. It will be noted that predicting the severity and exploitability of a vulnerability requires knowledge about the common bug classes and exploitation techniques. To this end, we shall perform deep-dive analyses of a few CVEs that cover different bug classes such as command injection, insecure deserialization, SQL injection, stack- and heap buffer overflows, and other memory corruption vulnerabilities.

Towards the end of the training, the attendee can expect to gain familiarity with several vulnerability types, research tools, and be aware of utility and limitations of detection schemes.

Emphasis

To prepare the student to fully defend the modern enterprise by being aware and equipped to assess the impact of vulnerabilities across the breadth of the application space.

Prerequisites

• Computer with ability to run a virtual machines (recommended 16GB+ memory)
• Some familiarity with debuggers, Python, C/C++, x86 ASM. IDA Pro or Ghidra experience a plus.

**No prior vulnerability discovery experience is necessary

Course Information

Attendance will be limited to 25 students per course.

Cost: $4000 USD per attendee

Dates:  July 9 – 12, 2024

Location:  Washington, D.C.

Syllabus

Vulnerability and risk assessment

• Nday risk and patching timelines
• Vulnerability terminology: CVE, CVSS, CWE, Mitre Attack, Impact, Category
• Risk assessment
• Vulnerability mitigation

Binary and code analysis

• Reverse engineering tools such as debuggers, disassemblers
• Deep dive into command injection, SQL injection, insecure deserialization with case studies and hands-on practical.
• Deep dive into buffer overflow and other memory corruption vulnerabilities with case studies and hands-on practical.

Analysis Enrichment

• Qualitative risk assessment
• Patch analysis
• Understanding mitigation techniques
• Writing detection guidance