- Reverse me if you CAN - by Anthony Rullier
- Scapy hands-on - by Guillaume Valadon
- Java is AppSec404 - by Ivan Iushkevich
- Fuzzing 101 - by Diane Dubois
- Introduction to Vulnerability Detection with CodeQL - by Alvaro Muñoz
Reverse me if you CAN - by Anthony Rullier @DeadEert
This workshop teaches how to reverse engineer an ECU firmware with a strong focus on the CAN layer. ECU stands for Electronic Control Unit. It is a complex electronic equipment which supports and ensures critical functionalities in a vehicle's engine, such as air–fuel mixture, ignition timing, or idle speed. To properly support these functionalities, an ECU must communicate with other ECUs embedded in the car using various connectivity protocols built on top of different physical layers. Up to this day and in spite of emerging newcomer protocols and related layers, CAN is still the de-facto standard when it comes to ECU inter-communication. By mixing theory and practice, this workshop can appeal to both beginners and well-seasoned reversers wishing to sharpen their skills on new platforms and environments.
Requirements: Background of Reverse Engineering would be preferable, no introduction to assembly will be held.
Scapy hands-on - by Guillaume Valadon @guedou
Scapy (http://www.secdev.org/projects/scapy & https://github.com/secdev/scapy) is a powerful Python-based interactive packet manipulation program and library. It can be used to forge or decode packets for a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.
This workshop will describe its main features step by step, and will let you explore the following topics:
- packets manipulation
- sending & receiving packets
- IPv6 and TLS support
- implementing a new protocol
- answering machines
Requirements: a laptop running Linux (native or virtualized) and a fresh Scapy install from github
Java is AppSec404 - by Ivan Iushkevich @w34kp455
After passing all the qualifying tests and getting the desired position in the AppSec404 company, you can finally start the real tasks. The company recently decided to launch a new project in Java. For this, AppSec404 hired a new development team. However, before allowing them to work on a new project, according to companies policy, each developer should take a course on OWASP TOP 10 vulnerabilities and, as a test task, implement several simple and, at the same time, necessary small projects. You are instructed to check the developed tasks, find vulnerabilities in them, and understand whether the developer has learned the material well. After reviewing all the documents and the implementation of the task, each of the developers will be allowed to work on the new project. We promise that no penalties will be applied. This check is needed to ensure that the new promising project will not contain vulnerabilities, or at least not as many as usual. So don't let us be disappointed. We wish you good luck and take this task with the utmost responsibility because the product's future and your promotion depend on it.
Requirement: Computer with internet access
Fuzzing 101 - by Diane Dubois @0xdidu
During this workshop you will learn multiple things:
- General knowledge on fuzzing: Know the basic concepts to get started and be able to later understand the material on fuzzing (conferences, papers…). Targets: C code, C++ code, x86
- Methodology to approach vulnerability research through fuzzing: Be able to reason later about fuzzing with different setups (sources, closed-source, …)
- Hands-on experience on vulnerable binary / C code: Demystifying fuzzing and getting comfortable fuzzing / writing a fuzzer with hands-on labs. Target: C code / binary
- Some prior knowledge of C or C++ will be useful for the second hands-on lab
- Prior experience on reverse engineering will also be a plus (it is not a prerequisite) to help understand the parts on black-box fuzzing (fuzzing closed-source binaries) but there will be no hands on on that
Requirements: On a Debian/Ubuntu machine, install the AFL++ and Clang packages: sudo apt-get install afl++ clang. More instructions here: Fuzzing 101 - Step by step setup instructionsthis document
Introduction to Vulnerability Detection with CodeQL - by Alvaro Muñoz
CodeQL is commonly used to detect known vulnerability patterns and their associated variants in code. CodeQL queries are usually written to find very specific vulnerabilities for variant analysis purposes and are often integrated into CI/CD pipelines to automatically detect bugs. However, CodeQL can also serve as an interactive SAST Swiss army knife to support more general code auditing workflows. Since CodeQL makes a program’s AST and dataflows queryable, it has the ability to effectively answer many of the general questions that commonly arise when auditing code, such as “which APIs are tainted by user-controlled input?”, “what is the attack surface of the application?” and “which parts of the code have a high bug density?”. In this workshop, Alvaro Muñoz of the GitHub Security Lab will demonstrate practical CodeQL auditing workflows he used to find 10+ CVEs in Apache Dubbo and that will enhance your ability to efficiently explore new attack surfaces.
Workshop material can be found here https://github.com/pwntester/codeql_grehack_workshop