Patch Diffing In The Dark: CVE guided VR
Overviewβ
This four-day, fast-paced course is designed to take you from a surface-level understanding of vulnerabilities to a deep dive into their root causes. Taught by security researcher John McIntosh, the training focuses on binary patch diffing, a critical skill for reverse engineering and vulnerability research. You'll learn how to analyze real-world CVEs (Common Vulnerabilities and Exposures) on Windows using open-source tools like Ghidra, and move from identifying security changes to understanding what makes them exploitable.
Highlightsβ
π‘ What You'll Learnβ
The training focuses on the three fundamental pillars of vulnerability research:
- Vulnerability Discovery: Find insecure code paths.
- Vulnerability Analysis: Understand the root cause of the issue.
- Exploit Development: Create proof-of-concept (POC) exploits.
By using CVEs as a "north star," you'll follow a step-by-step methodology to uncover, analyze, and exploit vulnerabilities. The course uses free tools like Ghidra SRE framework and BinDiff, proving that you already have the information and tools needed to get started.
Key Learning Objectivesβ
- CVE Analysis: Learn to analyze CVEs to understand their impact and exploitability.
- Patch Diffing: Master the fundamentals of binary patch diffing for vulnerability research.
- Binary Analysis: Gain skills in analyzing binary files to understand their structure and behavior.
- Identifying Vulnerabilities: Develop the ability to spot potential vulnerabilities through comparative analysis.
- Reverse Engineering Techniques: Acquire new static and dynamic analysis techniques for reverse engineering binaries.
- Exploit Development: Understand the principles of creating exploits based on discovered vulnerabilities.
- SRE Tool Utilization: Become proficient in using open-source tools that assist in patch diffing and vulnerability discovery.
Practical Exercisesβ
The training emphasizes hands-on experience through practical exercises.
- Patch Diffing and Root Cause Analysis: Use Ghidra's Patch Diffing to compare Windows binaries, identify changes, and perform a root cause analysis of real-world CVEs.
- Combined Static and Dynamic Analysis: Use static analysis to locate problematic code and dynamic analysis with debuggers to investigate CVEs and verify root causes.
- Building Exploit Proofs of Concept (POCs): Develop exploit POCs to demonstrate vulnerabilities. You'll learn to leverage public resources and even AI to accelerate POC development.
Class Outlineβ
Part 1 - Vulnerability Discovery - Staticβ
This section introduces the core tools and techniques for static analysis. You'll learn how to use Ghidra to reverse engineer Windows binaries and perform patch diffing to pinpoint areas of insecure code.
- Introduction: Cover binary diffing use cases, the concept of "seeking binary truth," and an overview of CVEs, tools, and datasets.
- Reverse Engineering Windows Binaries: Get a primer on Ghidra for Windows and learn how to leverage custom data types.
- Patch Diffing: Dive into diffing tools like Ghidra's Version Tracking and BinDiff, learn the workflow, and interpret results.
- Vulnerability Analysis - Static: Discover vulnerable code paths and identify vulnerabilities, including using Ghidra scripting for Version Tracking analysis.
Part 2 - Vulnerability Analysis - Dynamicβ
This part focuses on using dynamic analysis to find the root cause of a vulnerability.
- Setting up the Dynamic Environment: Learn how to quickly build test environments and install necessary tools like Sysinternals and WinDbg.
- Vulnerability Classes: Understand modern vulnerability classes (UAF, info leak, heap overflow, etc.) and learn to recognize them in real-world software.
- Vulnerability Analysis - Dynamic: Transition from static to dynamic analysis, efficiently use a debugger, and control program state to reach vulnerable code.
Part 3 - Exploit Development - Attacking Windows Servicesβ
You'll reverse engineer several CVEs in Windows services and create POCs that trigger the vulnerable paths.
- Reverse Engineer the CVE: Research the vulnerable service, build a test dynamic environment, and learn Visual Studio basics to create POCs.
- Patch Diff in the Light: Leverage public code, existing POCs, and even AI to accelerate the development process for various vulnerability classes.
Part 4 - Putting it All Togetherβ
The final day is dedicated to a practical project to solidify the concepts learned throughout the course.
- Final Project: Apply your skills with several patch diffing challenges validated by a live course CTF server.
- Windows: Zero to Hero: A comprehensive exercise to identify, research, analyze, and root-cause a vulnerability, then develop an exploit trigger POC.
- Grab Bag CVEs: If time permits, the instructor will lead a walkthrough of live patch diffs on preselected or student-suggested CVEs.
Logisticsβ
π» Hardware/Software Requirementsβ
- A 64-bit i7+ laptop with 16GB+ RAM.
- 60 GB of available disk space.
- The ability to run an Intel-based VM, similar to those provided by Microsoft, using VMware.
β Prerequisitesβ
This is an intermediate course, but beginners with a strong drive are welcome. You should have:
- Basic knowledge of vulnerabilities or CVEs.
- A foundational grasp of cybersecurity principles.
- An introductory understanding of assembly language or familiarity with C programming.
- No prior experience with Ghidra is required.
π What Students Will Be Provided Withβ
- Course slides and training materials.
- Virtual machines with all the labs pre-configured.
- Resources for further learning.
- Access to the course CTF server during and after the course.
- Access to the instructor(s) via Discord for ongoing support.
Who is This Course Forβ
This training is ideal for:
- Cybersecurity professionals looking to advance their reverse engineering skills to mitigate risk and evaluate recent CVEs.
- Vulnerability researchers who want to learn a practical technique for vulnerability discovery and go beyond just understanding what others have found.
- Reverse engineers who want to learn how operating system securities are compromised.
Upcoming Coursesβ
- π Browse Upcoming Events β Find the next inβperson or virtual session that fits your schedule.