YaK:: WebLog #535 Topic : 2007-01-02 22.47.42 matt : automated code analysis audience prep (updated) | [Changes] [Calendar] [Search] [Index] [PhotoTags] |
[Back to weblog: pretention] |
The current upcoming classes are at RSA 2007 and BlackHat Europe 2007 . There was also a talk on the subject at the Chaos Computer Congress in Germany.
The class has been retooled from when we gave it at BlackHat USA in 2006, based upon feedback from students. We now use several open source binary code analyzers for our examples, including findbugs and bugreport , among others. There is less material on the coding process for a given piece of analysis and more material on theory and explanation of existing implementation, mainly for pacing reasons. We have also enhanced our slides and presentation with more diagrams and detail.
On the static analysis side, there are just a few papers that I recommend:
Buffer Overrun Detection. Has a great discussion of finding exploits in wuftpd and introduces the idea of constraints.
Finding Security Vulnerabilities in Java Applications with Static Analysis
A paper with some background on the inner workings of findbugs. We use the source code of findbugs as the implementation example in the class. We go over it in a very comprehensive manner, but reading this paper beforehand may be helpful.
These are pretty accessible and practical for academic papers, and they will both provide a good context for the static analysis portions BlackHat class and Defcon talk. If you don't grok it all at first, just having the conceptual seeds planted will help prepare you for the class and/or talk. The first is based in C, the second in Java. A lot of people think that analyzing native x86 binaries and Java bytecode binaries are amazingly different -- they actually aren't. We'll get into that in the BlackHat class, but probably not too much in the Defcon talk due to time constraints. Note that none of the details in the classes or talks are proprietary in any way, every concept discussed will be attributed to their public sources, most of which are the links above.
Luis Miras wrote illustrative code in C# for the BlackHat class and Defcon talks, completely clean-room separated from me for legal and personal reasons. I've been having him go through a kind of C# and Test-Driven Development crash course similar to the one I've used successfully with several teams and individuals over the last few years. Going through some of the materials below will also help prepare the attendees of these events to participate in optional programming material more effectively, if they choose to do so. Don't be scared off -- it's suggested reading for attendance, only required to participate in optional programming. Knowledge of C# is *NOT* required for the class.
Pragmatic Unit Testing in C# (p1-70)
and if you get through those,
CLR via C#, 2nd Edition (pages 3-32, 97-238, 285-386)
The code examples all appear to all work with mono 1.2.x and SharpDevelop 2.1 as well as Visual Studio .NET and Microsoft .NET, so no whining. ;>
Discussion:showing all 0 messages |
(No messages) |
(last modified 2007-01-03) [Login] |