2-6 May 2016
2-6 May 2016
21 Mar 2016
This is not a beginner’s course!
300 € (no fee for the Sponsoring Nations, Contributing Nations and NATO bodies)
The course will provide deep technical insights for cyber defenders into techniques modern malware uses to exploit vulnerabilities and to intrude into systems.
Based on an introduction into modern OS features and analysis techniques, the use of debuggers as the most important tools for exploit research as well as up-to-date methods for vulnerability detection like fuzzing and code coverage will be discussed and trained.
Once vulnerabilities have been found, there are different approaches to make use of them to exploit a system. The course will start introducing basic exploitation methods like buffer and heap overflow techniques as well as more advanced ideas for both Windows and Linux systems (for the experts: ASLR, SEH/SEHOP, ROP, DEP etc. will be demonstrated and explained). Since system security is mainly based on encryption technologies, modern crypto systems will also be explained – not leaving out aspect of crypto security and how intruders try to break them.
Another important topic in this course is software resilience: malware execution is always based on an unintended program flow redirection. This course will also show how code can be protected from being altered by introducing code morphing and obfuscation techniques. Additionally it is planned to give an overview about virtualisation techniques which on the one hand help re-engineers to analyse malware, as long as the malware is not aware its being executed in a research environment, but on the other hand bears the risk of potential malware escapes from the virtual environments which have been seen before.
Please be advised about the strong technical nature of this course. Assembly level programming knowledge is required as well as operating system details at process/library level on both Windows and Linux systems. Therefore the target audience is exclusively technical staff of CERTs/CIRTs or other governmental/military entities being involved in technical IT security or cyber defence. English language skill comparable to STANAG 6001, 126.96.36.199. is required.
Note that we most strongly discourage the participation of students who do not fulfil aforementioned prerequisites since the course contains advanced lab sessions assuming this knowledge. Therefore the presence of unskilled attendants in the audience is likely to hinder the overall progress of the course.