The following is a brief overview of the courses I regularly teach at TUM. Note that while bx1 and re usually run each semester, bx2 is taught irregularly in random intervals (mostly due to lack of qualified participants).

Binary Exploitation

BX1 | IN2106, IN0012, IN4120 | 6 SWS | 10 ECTS | Summer, Winter

Exploiting binaries is the process of locating vulnerabilities in compiled programs that can be used to execute arbitrary code running in context (i.e. with the same privileges) of the attacked program.

This course teaches participants the concepts of binary exploitation on modern Linux systems. It is meant to be an in-depth course where students get familiar with topics like code generation (compiling), static and dynamic linking, the dynamic loader ld, static analysis of the ELF file format, and dynamic analysis using the GNU debugger gdb. Participants learn to recognize common security-flaws in programs and learn how to escalate mistakes introduced by the author of a vulnerable program to gain arbitrary code execution. By the same time, participants are introduced to anti-exploitation mechanisms as deployed in current Linux distributions such as w^x, SSP, ASLR, and PIE.

Note that this practical course deals with exploitation of modern Linux systems. This means that we explicitly target the x86-64 architecture, which is very poorly covered by literature. Participants regularly invest 20 - 30 hours per week to solve the assignments (depending on their previous knowledge). A very good understanding of the C programming language is required, as is knowledge about operating systems. The recommended language to code exploits in is python3.

The course is organized similar to Capture-the-Flag contests. Participants get access to the game network where they are to attack prepared machines (Hacky[123]). To prove their success, they need to retrieve flags from the vulnerable machines and submit them to our public scoreboard.


Advanced Binary Exploitation

BX2 | IN2106, IN0012, IN4120 | 6 SWS | 10 ECTS | Irregularly

This is an advanced course. It is highly recommended to attend bx1 before considering participation in this course.

In this practical course students deepen their understanding of binary exploitation. As a sequel to bx1 we shift our attention towards the following topics:

After mastering this course, students are able to understand and mitigate advanced attack methodologies on state of the art software systems that were observed in contemporary hacks/malware.


Reverse Engineering

RE | IN2107, IN0014, IN4708 | 2 SWS | 4 ECTS | Summer, Winter

Reverse engineering is a critical set of techniques and tools for understanding what software is really all about. Formally it is "the process of analyzing a subject system to identify the system's components and their interrelationships and to create representations of the system in another form are at a higher level of abstraction" (IEEE 1990). [...] The techniques of analysis, and the application of automated tools for software examination, give us a reasonable way to comprehend the complexity of the software and to uncover its truth.

[...]

Reverse engineering is a discovery process. When we take a fresh look at code, whether developed by ourselves or others, we examine and we learn and we see things we may not expect.

—Elliot Chikofsky
Foreword in: Eldad Eilam. Reversing: Secrets of Reverse Engineering. John Wiley & Sons. 2005.

The craft of reverse engineering is a discipline that requires knowledge from multiple domains:

The purpose of this seminar is to teach participants principles of reverse engineering. Students make themselves familiar with common reverse engineering techniques before diving into more advanced topics covered by current research literature. Participants write a scientific paper summarizing a given scientific article, and most commonly try to re-evaluate the discussed ideas and concepts.

The seminar itself is organized like a small-scale scientific conference: Each participant submits a paper draft that is then being peer-reviewed by other students and the supervisor. After addressing review comments, students polish up the final version and present their work in class.

Challenge accepted?

I'm running a public scoreboard where students can solve challenges to show off their reversing skills on challs.kirschju.re. By the same time, the scoreboard archives all challenges that interested candidates had to solve to qualify for participation in the seminar for last semesters. Send me a (preferably PGP encrypted) e-mail if you want to get access.