Practical ARM Exploitation: A New Training

Posted on January 12, 2012 by



So….we heard Dino & Alex and Aaron & Zef were doing some blingin new trainings. So we felt we had to keep up with the rest of the New York Krew and do one….Ok, not really.

We (the two Stephens) have spent a bunch of head-down time recently doing embedded research (as we mentioned in the last post). In fact, in our “Hardware  Hacking For Software People” talk, we ended with a demo of a neat crash/bug found in a VERY popular cable modem. “But what about exploitation of that bug?”. This is the question we kept getting. Well, we honestly hadn’t done much of  that at the time last year. But that has all changed, and we’ve collected all of our notes on embedded exploitation (specifically on the ARM architecture), added some additional research and developed a course! We are proud to announce the public release the course  we’ve developed entitled “Practical ARM Exploitation”.

A New Course:

The purpose of the course is to introduce students with prior basic exploitation experience (on other architectures) to “real world” exploitation scenarios on the ARM processor architecture. The reality is that exploitation these days is harder and a bit more nuanced than it was in the past with the advent of protection mechanisms like XN, ASLR, stack cookies, etc. As such, this course is called “practical” because it aims to teach exploitation on ARM under the real-world circumstances (with all these protection mechanisms) that the exploit developer will encounter and have to circumvent. The course materials focus on advanced exploitation topics using Linux as the target platform running on the ARM architecture. The goal here is to use Linux as a platform for circumventing “advanced protections” while also teaching about the ARM architecture itself,  although there is obvious application for these techniques against platforms running on mobile phones, tablets, net-books, embedded devices, etc.

Our hope is that students with some previous exploitation experience go from knowing nothing about ARM on the first day to exploiting custom heap implementation (bypassing ASLR, NX) using their hand-built ROP connect-back-shell payload on the the last day.
The course contains the following:

  • 650+ slides across 12 decks
  • 17 lab exercises (ranging from code auditing and simple stack overflows to advanced heap exploitation and application specific exploitation)
  • some “CTF style” exploitation challenges
  • 80+ page printed/bound/laminated lab manual with comprehensive notes including: architecture quick reference, ARM GDB and IDA ‘gotchas’, et al
  • …and maybe some exploitation exercises running on real ARM hardware (instead of in QEmu which is where we do everything for the course)

We are proud to also announce that we will be publicly debuting the course at CanSecWest in Vancouver in March of 2012. This thang was a lotta work so we are really excited to be giving this course and we look forward to meeting and talking with folks who are also interested in this stuff.

As a teaser for the course, we’ve cut out the “Cliff’s Notes” reference section from our much larger Lab Manual and are giving it away as a free piece of reference material (for that directory you keep full of notes, slides, and presentations ;-). Enjoy.

If you want to learn a bit more about the layout of the course, you can read our Syllabus which has a brief description of every Lab exercise and Slide deck. If you are curious about if you are right for the course the Syllabus also includes a short blurb about prerequisite skills and what you should bring if you decide to take it.

Anyway, thats it, we’re really excited and look forward to seeing you there! Feel free to post any questions about the course as comments below.

Syllabus, “Who Should Take This Course” and “What to bring if you do”

Free Give Away!: Lab Manual Sample: ARM Architecture Reference