The following is a brief overview of the courses I regularly teach at TUM. Note
re usually run each semester,
bx2 is taught irregularly
in random intervals (mostly due to lack of qualified participants).
Exploiting binaries is the process of locating vulnerabilities in compiled programs that can be used to execute arbitrary code running in context (i.e. with the same privileges) of the attacked program.
This course teaches participants the concepts of binary exploitation on modern
Linux systems. It is meant to be an in-depth course where students get familiar
with topics like code generation (compiling), static and dynamic linking, the
ld, static analysis of the
ELF file format, and dynamic
analysis using the GNU debugger
gdb. Participants learn to recognize common
security-flaws in programs and learn how to escalate mistakes introduced
by the author of a vulnerable program to gain arbitrary code execution. By the
same time, participants are introduced to anti-exploitation mechanisms as
deployed in current Linux distributions such as
Note that this practical course deals with exploitation of modern Linux systems.
This means that we explicitly target the
which is very poorly covered by literature. Participants regularly invest 20 -
30 hours per week to solve the assignments (depending on their previous
knowledge). A very good understanding of the
C programming language
is required, as is knowledge about operating systems. The recommended language
to code exploits in is
The course is organized similar to Capture-the-Flag contests. Participants get
access to the game network where they are to attack prepared machines
Hacky). To prove their success, they need to retrieve flags from the
vulnerable machines and submit them to our public
This is an advanced course. It is highly recommended to attend
bx1 before considering participation in this course.
In this practical course students deepen their understanding of binary
exploitation. As a sequel to
bx1 we shift our attention towards the following
After mastering this course, students are able to understand and mitigate advanced attack methodologies on state of the art software systems that were observed in contemporary hacks/malware.
Reverse engineering is a critical set of techniques and tools for understanding what software is really all about. Formally it is "the process of analyzing a subject system to identify the system's components and their interrelationships and to create representations of the system in another form are at a higher level of abstraction" (IEEE 1990). [...] The techniques of analysis, and the application of automated tools for software examination, give us a reasonable way to comprehend the complexity of the software and to uncover its truth.
Reverse engineering is a discovery process. When we take a fresh look at code, whether developed by ourselves or others, we examine and we learn and we see things we may not expect.
Foreword in: Eldad Eilam. Reversing: Secrets of Reverse Engineering. John Wiley & Sons. 2005.
The craft of reverse engineering is a discipline that requires knowledge from multiple domains:
The purpose of this seminar is to teach participants principles of reverse engineering. Students make themselves familiar with common reverse engineering techniques before diving into more advanced topics covered by current research literature. Participants write a scientific paper summarizing a given scientific article, and most commonly try to re-evaluate the discussed ideas and concepts.
The seminar itself is organized like a small-scale scientific conference: Each participant submits a paper draft that is then being peer-reviewed by other students and the supervisor. After addressing review comments, students polish up the final version and present their work in class.
I'm running a public scoreboard where students can solve challenges to show off their reversing skills on challs.kirschju.re. By the same time, the scoreboard archives all challenges that interested candidates had to solve to qualify for participation in the seminar for last semesters. Send me a (preferably PGP encrypted) e-mail if you want to get access.