Advanced Vulnerability Research
ACTP's most technical and challenging offering, designed for those who are looking to take their VR skills to the next level.
Course Description
Written by a team of vulnerability research experts, this course will teach students how to find bugs such as use-after-free, type confusion, memory corruption, and logic bugs in software applications like web browsers and operating system kernels. Students will learn to find vulnerabilities using techniques such as fuzzing, symbolic execution, and code property graphs.
Prerequisites
- A firm grasp of x86-64 assembly.
- Strong programming skills in C and C++.
- Comfortable with reverse engineering software using IDA and Ghidra.
- Completed the Vulnerability Research and Exploitation module from a CNO Programmer course.
Program Highlights
Advanced Fuzzing
Learn to use modern fuzzing tools like AFL++ and write custom fuzzing harnesses for hard targets and exotic interfaces like RPC.
Symbolic Execution
A deep dive into cutting-edge VR concepts of symbolic execution, from SAT/SMT solvers to writing your own symbolic execution engine.
Code Property Graphs
Combine abstract syntax trees, control flow graphs, and data flow graphs to find subtle vulnerabilities using modern tools like Joern.
What You Will Learn
- Audit source code and binaries using advanced techniques and custom analysis scripts for Ghidra.
- Identify dangerous synchronization patterns and undefined integer operations that lead to exploitable race conditions.
- Understand and find complex bug classes including type confusion, memory corruption, use-after-free, and information disclosures.
- Use emulation and instrumentation engines such as Unicorn Engine and Frida for advanced fuzzing tasks.
Daily Agenda
-
Day 1: Code Auditing and Foundational Bugs
A thorough review of auditing techniques across source and binaries. Learn to identify undefined integer operations and dangerous synchronization patterns that lead to exploitable bugs.
Day 2: Fuzzing and Type Confusion
Learn to use modern fuzzing tools like AFL++ to find vulnerabilities in target programs, including hands-on labs for network-based applications, and a deep dive into finding type confusion bugs.
Day 3: Advanced Fuzzing and Memory Corruption
Write custom fuzzing harnesses for hard targets, learn about fuzzing exotic interfaces like RPC, and use emulation engines like Unicorn and Frida. Gain a deep understanding of memory corruption bugs.
Day 4: Symbolic Execution
A deep dive into the cutting-edge concepts of symbolic execution from SAT/SMT solvers to intermediate representations. Write your own x86-64 symbolic execution engine and learn to use angr.
Day 5: Code Property Graphs & Final Exam
Combine abstract syntax trees, control flow graphs, and data flow graphs into code property graphs to find subtle vulnerabilities. Covers use-after-free and information disclosures, followed by the final exam.