The purpose of the course is to introduce students with prior basic exploitation experience (on other architectures) to "real world" exploitation scenarios on the ARM processor architecture. The reality is that exploitation these days is harder and a bit more nuanced than it was in the past with the advent of protection mechanisms like XN, ASLR, stack cookies, etc. As such, this course is called "practical" because it aims to teach exploitation on ARM under the real-world circumstances in which the exploit developer will encounter (and have to circumvent) these protection mechanisms. The course materials focus on advanced exploitation topics (circumventing protection mechanisms) using Linux as the platform as a basis to learn the ARM architecture but with the obvious applications being platforms running on mobile phones, tablets, embedded devices, etc.

Our hope is that students with some previous exploitation experience go from knowing nothing about ARM on the first day to exploiting custom heap implementation (bypassing ASLR, NX) using their hand-built ROP connect-back-shell payload on the the last day.

Student Pre-requisite

Students taking the “Practical ARM Exploitation” course should have a intermediate software exploitation background on another architecture (such as x86). They should have hands-on familiarity with the following concepts:

  • exploitation of stack overflows
  • exploitation of heap overflows
  • basic experience with IDA
  • basic experience with a debugger
  • cursory knowledge of Python or some equivalent high-level scripting language (Java, Ruby, etc)
  • C++ and C coding experience.

Software Requirement

  • An installed valid VMWare
  • An installed copy of at least IDA Standard.
  • An SSH/Telnet client to access the hosted QEMU images

Hardware Requirement

To participate in hands-on exercises you will need to come with a windows-based laptop.

  • A laptop (running their favorite OS) capable of connecting to wired and wireless networks.y

Course Outline

Laying the Ground Work (with an eye to exploitation) Day 1:

  • Introduction to the ARM Architecture
  • Tools and the Lab Environment
  • Shellcoding, ELFs, Dynamic Linking
  • Stack Overflows

Basic to Intermediate Techniques (Day 2):

  • Stack Overflows and Ret2Libc
  • Advanced Stack Overflows

Intermediate to Advanced Techniques (Day 3):

  • ROP
  • Basic Heaps
  • More Heaps
  • Application Level Heap Attacks

Advanced Techniques (Day 4):

  • ROP
  • Stack Flipping
  • Defeating ASLR
  • Conclusions

About Instructor


Stephen A. Ridley is Principal Researcher/Consultant at Xipiter. Stephen has over 10 years of experience as a computer security researcher and software developer with a focus on reverse engineering and software exploitation. Stephen has industry experience with a leading information security consulting firm (Matasano Security) where he performed penetration testing and reverse engineering against infrastructures, applications, and customized hardware.

Prior to Matasano, Stephen was a founding member of a research group (called the Security Architecture Group) at McAfee Inc. This group oversaw all McAfee product security and provided developer training, research guidance, and executive support for all of the popular McAfee software security products (enterprise and consumer). Stephen developed and authored the McAfee secure coding guidelines documents, as well as developed several automated vulnerability discovery techniques which became a part of the software release life-cycle for all McAfee software products. Before his work at McAfee, Stephen did software security research, reverse engineering, and software development (specializing in software exploitation) at ManTech International’s Security and Mission Assurance (SMA) division. As an early member of the Computer Forensics and Intrusion Analysis group (a subdivision of Mantech SMA) Stephen performed highly classified work in support of the U.S. Defense and Intelligence communities in the realm of offensive and defensive software security. In addition to the aforementioned professional experience, Stephen A. Ridley has also taught classes on software reverse engineering to many reputable software/information technology companies (Google, Guidance Software, Trend Micro, McAfee, et al). Stephen has also taught these classes and given guest lectures at non-commercial venues such as the U.S. Department of Defense CyberCrime Center, The Forensics Institute of the Netherlands, and New York University.

Stephen is the author of many Open Source tools, including a fuzzing language (called Ruxxer) popular for its use of “Set Mathematics” and “Combinatorics” to automate fault injection for the purpose of finding vulnerabilities in software.


Stephen Lawler is the Founder and President of a small computer software and security consulting firm. Mr. Lawler has been actively working in information security for over 7 years, primarily in reverse engineering, malware analysis, and exploit development. While working at Mandiant he was a principal malware analyst for high-profile computer intrusions affecting several Fortune 100 companies. Prior to this, as a founding member of ManTech International’s Security and Mission Assurance (SMA) division he discovered numerous “0-day” vulnerabilities in COTS software and pioneered several exploitation techniques that have only been recently published.

Prior to his work at ManTech, Stephen Lawler was the lead developer for the AWESIM sonar simulator as part of the US Navy SMMTT program. Stephen is also the technical editor of a malware analysis book currently under development by No Starch Press.