Skip to main content

Vulnerabilities 1002: C-Family Software Implementation Vulnerabilities


OpenSecurityTraining2

About This Course

This is a dual-audience class. It is for both developers who want to learn how to write code without introducing new vulnerabilities (or how to detect existing vulnerabilities in their own code). But it's also a class for aspiring code auditors and freelance vulnerability hunters. And it's a prerequisite for eventually learning about vulnerability exploitation. So it's an epic battle between contentious developers and devious vulnerability hunters! Who will win?! Whoever most takes the lessons of this class to heart!

This class is structured in 5 main topic areas, corresponding to the vulnerability types we will cover: uninitialized data access (UDA), race conditions (double fetch and Time of Check, Time of Use (TOCTOU)), use-after-free (UAF), type confusion (TyCo), and information disclosure (Info Leak). For each topic area we explain at least 6 real vulnerabilities. And for at least one of those vulnerabilities we explain how it could be exploited, so that students can understand that exploitation engineering is just a typical engineering discipline, akin to a specialized form of software engineering. And thus even when vulnerabilities perhaps don't look exploitable, they still often are. At the end of each topic area, we cover prevention, detection, and mitigation options for dealing with that vulnerability type.

Real vulnerabilities covered in class

  1. Uninitialized Data Access (UDA):
    1. CVE-2022-26721
    2. CVE-2022-1809
    3. CVE-2021-3608
    4. CVE-2022-29968
    5. CVE-2019-1458 (Exploited in the wild, 0day, includes exploit walkthrough)
    6. CVE-2021-27080
  2. Race Conditions (including double fetch and Time of Check, Time of Use (TOCTOU)):
    1. CVE-2019-11098 (Includes exploit walkthrough)
    2. CVE-2021-4207
    3. CVE-2021-34514
    4. 2022 no CVE assigned, Microsoft Mu
    5. CVE-2020-7460
    6. 2019 no CVE assigned, Qualcomm baseband firmware
  3. Use After Free (UAF):
    1. CVE-2020-29661 (Includes exploit walkthrough)
    2. CVE-2021-28460
    3. CVE-2020-2674
    4. CVE-2021-36955
    5. CVE-2020-9715
  4. Type Confusion:
    1. CVE-2021-1732 (Exploited in the wild, 0day, includes exploit walkthrough)
    2. CVE-2022-21882 (Exploited in the wild, 0day, includes exploit walkthrough)
    3. CVE-2020-3853
    4. CVE-2019-14192 (Exploited in the wild, 0day)
    5. CVE-2021-30869 (Exploited in the wild, Nday)
    6. CVE-2021-30857
    7. CVE-2021-41073
  5. Information Disclosure:
    1. CVE-2022-22252
    2. CVE-2022-29181
    3. CVE-2020-9833
    4. CVE-2021-3947
    5. CVE-2020-25624
    6. CVE-2019-8921
    7. CVE-2021-22898
    8. CVE-2021-22925

Learning Objectives
* Learn to recognize the common programming errors that lead to uninitialized data access (UDA), race conditions (double fetch and Time of Check, Time of Use (TOCTOU)), use-after-free (UAF), type confusion (TyCo), and information disclosure (info leak).
* Learn what options developers have in terms of prevention, detection, and mitigation for each vulnerability type.
* Showing examples of exploitation of a subset of the example vulnerabilities, that might otherwise seem unexploitable.

A non-goal of this class is to teach the student how to exploit the vulnerabilities themselves. That will be covered in a future Exploits 1001 class. (Therefore this class's job-applicability stops at "secure development" or "vulnerability auditor", and doesn't extend to "exploitation engineer".)
Another non-goal of this class is to cover design issues, which are more varied in their appearance and remediation guidance. This class is specifically about the most common implementation issues, which have been occuring for the last 30+ years and continue to occur today, despite some fairly straightforward guidance that can eliminate the majority of them.

Requirements

This class has minimal prerequisites. It just requires that you are comfortable with reading small (< 100 line) C programs. You should have also completed Vulnerabilities 1001 before starting this class.

Frequently Asked Questions

What learning paths is this class used in?

Secure Development, Vulnerability Hunting and Exploitation, System Security

Course Staff

Xeno's Pic!

Xeno Kovah

Xeno founded OpenSecurityTraining(1) in 2011 to share his and others' trainings more widely. He relaunched OpenSecurityTraining2 in 2021.

Xeno's from Minnesota and has a BS in CS from UMN. He received a MS in computer security from Carnegie Mellon through the National Science Foundation "CyberCorps Scholarship for Service". But the US government didn't really yet know what to do with "cyber" people in 2007; so he ended up going to work for a Federally Funded Research and Development Center - MITRE. Xeno worked exclusively on internal-funded research projects, first as a participant and later as a leader on Windows kernel malware detection and trusted computing projects. Towards the end, other cool researchers inspired him to dig into BIOS and firmware level threats.

Xeno left MITRE to start an independent consultancy, LegbaCore, with Corey Kallenberg in 2015. Less than a year later, under mysterious circumstances that he's legally prevented from stating, he started working for Apple. While at Apple he helped get SecureBoot on Macs with the addition of the T2 chip. He also led the SecureBoot design and implementation project for the ARM-based M1 Macs. But between those big, visible, multi-year, projects, he was silently improving the security of a bunch of the 3rd party peripheral processors' hardware and firmware. He liked working at Apple because he had a bully pulpit where he could force 3rd parties to do the right thing or lose their business. But he likes OST better, so he left in 2020 to work on this full time.

Xeno has a touch of the illness known as being a "collector" (it's not quite to the level of being a "hoarder", so he can't get on TV for it or anything...) Consequently he collects speaker badges and has presented at IEEE S&P, ACM CCS, BlackHat USA/EUR, Defcon, CanSecWest, PacSec, Hardwear.io NL, Hack in the Box KUL/AMS/GSEC, H2HC, Microsoft BlueHat, Shmoocon, Hack.lu, NoHat, Hacktivity, HackFest, NoSuchCon, SummerCon, RSA, ToorCon, DeepSec, VirusBulletin, MIRCon, AusCERT, Trusted Infrastructure Workshop, NIST NICE Workshop, and the DOD Information Assurance Symposium. And yet he still says "MORE!"

Enroll