Training Objectives:
- The first class teaches you how to disassemble binaries, read x86-64 assembly language, and debug black-box binaries. This is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is a fundamental skill which is required for malware analysis and vulnerability hunting. And one of our training objectives is to start you down a learning path that can help you work in those professions.
- The first class also includes a *major* hands-on reverse engineering exercise (which can take anywhere from 2 hours to 2 weeks!) which has been shared the world over by thousands of students. This gives you something substantive to chew on and really reinforce your understanding and capability to read assembly.
- The second class teaches you about the fundamental hardware mechanisms which all operating systems, virtualization systems, and firmware *must* interact with in order to run successfully on x86 hardware. This is taught in a *mostly* OS-agnostic way focusing on Intel-isms rather than OS-isms (albeit with using Windows as reinforcement, thanks to its excellent kernel-level debugging support.) This is then meant to prepare you for future OS-specific classes, and firmware classes.
- The third class is designed to give you all the background you need to understand how x86 reset vector firmware (aka BIOS) works, and to then be able to read and understand the existing attack and defense research in the space.
- All these classes explicitly "teach you how to fish", by helping you understand the layout of multiple types of Intel manuals, so that you're comfortable exploring it and finding explanations for when you eventually run into obscure areas not covered in the classes.
What to Expect?
This class is part of an OpenSecurityTraining2 "All-you-can-learn" buffet. That means you can start at the very beginning, or anywhere in the middle. And if you successfully get through one class class, you can move on to the next class in this learning path immediately! We want you to learn as much as you can, as fast as you can handle. So we provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students instead and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you know you already know, you can just skip them and move on to the bits you know you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out. Also this class is fully open source licensed. Which means what you're really paying for here is support from the instructor. So by taking this class you're entitled to keep asking up to 20 questions after class. As you (hopefully) continue to take future OST2 classes, you'll get premium support from the instructor. He'll prioritize getting you answers or getting you unstuck from any labs/exercises ASAP so you can keep learning at your own pace.
Section 1 (BASIC)
Key Learning Objectives
- Learn the most common assembly instructions, which cover > 96%+ of all code found in most programs[1].
- Learn about the 16 Intel x86-64 general purpose registers + RFLAGS.
- Understand the at time confusing or counter-intuitive compiler-isms of both Microsoft Visual Studio, and GCC which lead to particular patterns in executables' assembly.
- Learn to debug and analyze executables which you don't have the source code for, in both WinDbg and GDB.
- Reverse engineer the black box Carnegie Mellon "Binary Bomb Lab", which has changed the lives of so many students (the instructor included!)
- Learning how to write C code and disassemble it to see what instructions were generated. But also learning how to write assembly to see how it behaves, or even raw bytes to see how the assembler and processor interprets it.
- Being comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work.
[1] https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.407.5071&rep=rep1&type=pdf
Section 3 (ADVANCED)
Key Learning Objectives
- Understand the original 16-bit "Real Mode" which the x86 CPU reset vector executes in.
- Understand 16-bit segmentation & assembly.
- Understand the evolution of Intel chipsets, and how to find the manual which corresponds to any given hardware.
- Understand how firmware uses IO to configure Intel and 3rd party hardware at boot time.
- Understand how firmware interacts with PCIe devices at boot time, both within the CPU/chipset, and 3rd party peripherals.
- Understand the core purposes of PCIe Option ROMs, but also how they can be used by attackers.
- Being capable of manually reading/writing the firmware-storage SPI flash through the register interface.
- Understand the protection mechanisms for the SPI flash and how they can be bypassed.
- Understand the protection mechanisms for System Management Mode how they can be bypassed.
- Understand how Chipsec can be used to assess the security posture of a firmware for both attack and defense.
- Understand how the ACPI S3 "sleep" power state can be used to attack systems.
- Being comfortable with Reading The Fun Manual(!) to go seek out the most accurate details of how things work.
Who Should Attend? | Target Audience:
- People who want to start their journey up the skill tree towards such professions as reverse engineering, malware analyst, vulnerability hunter, security researcher, OS engineer, or systems architect. Because OST2 is going to have classes in the future for all of you to just keep climbing.
- People who gain satisfaction from understanding how systems really work at a very deep level.
- People who don't have a lot of free time outside of work, and who thus want to use this time to hunker down and jam through all this material with full instructor support.
What to Bring? | Software and Hardware Requirements:
- A PC with VMWare or an x86 Mac with VMWare Fusion (the free "Player" versions are fine), capable of running 2 instances of Windows 10 x86-64 simultaneously (mandatory) and optionally, 1 instance of Ubuntu Linux 20.04 (if you choose to learn GDB & AT&T assembly syntax).
- Headphones for watching videos, (preferably over-ear so you're not disturbed as the instructor is walking around the class answering individual's questions)
What to Bring? | Prerequisite Knowledge and Skills:
- For Section 1
- This class requires that you are comfortable with reading small (< 20 line) C programs, and have debugged C source code in the past.
- For Section 2
- You should have equivalent knowledge of x86-64 assembly, architecture, and WinDbg to that provided by Section 1.
- For Section 3
- You should have equivalent knowledge of x86-64 assembly & architecture to that provided by Section 1 + 2.
Resources Provided at the Training | Deliverables:
- Instructions on how to set up and test your machine before coming to class
- Access to all Creative-Commons-licensed slides & Mozilla-licensed lab code
- Access to all Creative-Commons-licensed lecture & lab videos!!!
ABOUT THE TRAINERS
Xeno began running Windows kernel-mode rootkit detection and defense research projects at MITRE around 2009, before moving into research on BIOS security around 2011. His team's first public talks started appearing in 2013, which led to a flurry of talks on BIOS-level vulnerabilities up through 2014. In 2015 he co-founded LegbaCore. And after presenting a worm which could spread between machines via Apple's EFI-based BIOS and Thunderbolt Ethernet adapters, he ended up working for Apple. There he worked on securing all the lesser-known firmwares on Macs and peripherals - everything from 3rd party GPUs to SecureBoot for monitors! He also worked on the x86-side of the T2 SecureBoot architecture, and his final project was leading the M1 SecureBoot architecture - being directly responsible for designing a system that could provide iOS-level security, while still allowing customer choice to trust arbitrary non-Apple code such as Linux bootloaders. He left Apple in Dec 2020 after the M1 Macs shipped, so he could work full time on OpenSecurityTraining2.