Today's world of mobile devices is mostly dominated by ARM based systems. While many of these devices are still running with 32 bit ARM CPU cores the move powerhungry applications have meanwhile all moved over to 64 bit ARMv8/ARM64 CPU cores. For software reverse engineers and exploit developers this means they have to learn yet another CPU architecture, because the 64 bit moder (AARCH64) of these CPUs is like a completely new architecture and requires them to learn a completely new instruction set called A64.

Our newly designed course begins with an introduction of the ARM64 architecture and its new A64 instruction sets. The trainees will learn to understand and reverse engineer snippets of ARM64 assembly. The course then moves over to the exploitation of vulnerabilities. Trainees will learn about ARM64 stack buffer overflows and return oriented programming, differences between Android/Linux and iOS and the training will end with heap exploitation topics.

The hands-on tasks of this training will be executed on a mixture of emulated ARM64 devices, actual Android and iOS devices and on ODROID-C2 devices running linux. Trainees will each take home an ODROID-C2 ARM64 device.

The goal of this training is to enable you to understand the ARM64 architecture, understand A64 assembly language and write exploits for a variety of ARM64 android/linux/iOS targets.

Student Pre-requisite

  • training is for intermediate students that have had prior contact to exploitation
  • capable of performing basic tasks within the OS they bring
  • capable of operating the command line of their OS
  • capable to use the VMWare virtualization software to run a virtual machine provided by trainer
  • knowledge of basic shell scripting, python, C programming language
  • knowledge in at least one non ARM64 assembly language (e.g. ARM, x86, x86_64)

Software Requirement

  • ARM64 disassembler (e.g. IDA Pro 6.x with ARM64 support, Hopper, Binary Ninja)
  • Linux / Windows / Mac OS X desktop operating systems
  • MANDATORY: VMWare Player / VMWare Workstation / VMWare Fusion (installed and tested)
  • MANDARORY: Students require Administrator / root access

Hardware Requirement

  • Notebook powerful enough to run a virtual machine (no netbook, no tablet, no iPad) at least 8 GB or RAM
  • 40 GB of free harddisk space
  • wireless network card
  • for notebooks with USB-C students must bring USB-A adaptors or hubs
  • further ARM64 hardware will be provided by the trainer

Course Outline

Day 1

  • Introduction to the ARM64 CPU architecture
  • Understanding the different ARM64 Calling Conventions
  • Exploring the A64 Instruction Set
  • Reverse Engineering of small code snippets
  • Exploring the ARM64 System Registers
  • Understanding ARM64 Page Tables
Day 2
  • Introduction to ARM64 debugging with gdb and lldb
  • Crashdumps, Coredumps and Kernel Panics
  • System Calls and Writing Shellcode in ARM64 (for later conversion into ROP)
  • Exploitation of ARM64 stack buffer overflows
  • Exploit Mitigations Part I ((P)XN, ASLR, Stack Cookies)
  • Bypassing Stack Cookies with Infoleaks
  • ARM64 Return Oriented Programming
Day 3
  • differences ROP / BOP / code reuse
  • manual and tool driven ARM64 ROP gadget search
  • building practical ROP chains
  • Hands-on: writing exploit with ROP chains
  • breaking ASLR with brutefore / infoleaks
  • Hands-on: changing exploit to defeat ASLR
Day 4
  • Heap Vulnerabilities (memory corruption, use after free, double free, ...)
  • Introduction to various heap implementations
  • Differences of heap implementations in Linux/Android/iOS
Day 5
  • How to exploit Use After Free bugs
  • Hands-on: exploit a use after free vulnerability
  • How to exploit Heap memory Corruptions
  • Hands-on: exploit a heap memory corruption
Training Takeaways
  • All students will take home an ODROID-C2 ARM64 device
  • The whole training material (multiple hundred slides) will be handed to the students in digital form.

About Instructor

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apples iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook. Since then he focuses on the security of the MacOS and iOS kernel and teaches these topics in trainings all around the world.