< BACK2WORKSHOPS>

RINGZER0 HANDS-ON WORKSHOPS

Free workshops on advanced infosec topics

## 20-JUN Security Automation For Electron Apps “If you can build a website, you can build a desktop app”, they say. “If you can build a security check, you can level up your SecDevOps”, we say. Building secure ElectronJS applications is possible, but complicated. In this workshop you'll learn how to detect misconfigurations and vulnerabilities in ElectronJS-based applications using Electronegativity. Electronegativity is the de-facto standard tool for identifying security anti-patterns in desktop apps built with web technologies. We'll go over its major features, internal design and usage, and ultimately how it's possible to integrate the tool in your CI/CD pipeline. During this one hour intense workshop, you will get to customize Electronegativity by developing a custom atomic check, and integrating that as a Github Action for your project. #### PREREQUISITES * Basic NodeJS development experience * Basic understanding of web application security (e.g. XSS, ClickJacking, etc.) **AUDIENCE** * Security engineers, auditors, researchers, pentesters, and those in similar roles * JavaScript and Node.js developers **DURATION** 1 hour lecture/demo **For the full version of this topic, check out Luca's [Electron Security Threat Modeling, Vulnerability Research and Exploitation](https://ringzer0.training/electron-security.html) training at #BACK2VEGAS.**

Watch the Video

Workshop Instructor

Luca Carettoni

20 JUNE 2022
8 am - 9 am pacific time
luca carettoni
With over 15 years of experience in the application security field, Luca Carettoni is a respected application security expert. Throughout his career, he worked on security problems across multiple industries and companies of different size. He is the co- founder of Doyensec, an application security consultancy working at the intersection of offensive engineering and software development. At LinkedIn, he led a team responsible for identifying new security vulnerabilities in applications, infrastructure and open source components. Prior to that, Luca worked as the Director of Information Security at Addepar, a startup that is reinventing global wealth management. Proud to be a Matasano Security alumni, he helped bootstrapping the Silicon Valley office by delivering high-quality security assessments to software vendors and startups. As a security researcher, he discovered numerous vulnerabilities in software products of multiple vendors including 3com, Apple, Barracuda, Cisco, Citrix, HP, IBM, Oracle, Sun, Siemens, VMware, Zend and many others. Since the beginning of his career, he has been an active participant in the security community and a member of the Open Web Application Security Project (OWASP). Luca holds a Master's Degree in Computer Engineering from the Politecnico di Milano University.



## 21-JUN Introduction to V8 JavaScript Engine Grammar-based Fuzzing In this short hands-on workshop, we will attack the V8 JavaScript Engine using grammar-based fuzzing. First, I will show how to download a version of V8 already compiled with addressSanitizer (ASAN). Then, I will introduce how to write a Dharma grammar and finally, we will use some simple scripts to start automation. Most of what you will learn during this workshop can be applied in other JavaScript engines like SpiderMonkey, JavaScriptCore, etc. #### PREREQUISITES * None **AUDIENCE** Beginner and Intermediate **DURATION** 2 hours lecture/demo **For the full version of this topic, check out Patrick's [Practical Web Browser Fuzzing](https://ringzer0.training/browser-fuzzing.html) training at #BACK2VEGAS.**

Watch the Video

Workshop Instructor

Patrick Ventuzelo

21 JUNE 2022
8 am - 10 am pacific time
Patrick Ventuzelo
Patrick Ventuzelo is a French Independent Security Researcher specialized in vulnerability research, reverse engineering and program analysis. He is the creator of two trainings namely “WebAssembly Security” and “Rust Security”. Patrick is also the author of Octopus, an open-source security analysis tool supporting WebAssembly and multiple blockchain smart contract to help researchers perform closed-source bytecode analysis. Previously, he worked for Quoscient GmbH, P1Security, the French Department Of Defense and Airbus D&S Cybersecurity. Patrick has been speaker and trainer at various international conferences such as REcon Montreal/Brussels, Toorcon, hack.lu, NorthSec, FIRST, Microsoft DCC, SSTIC, BlackAlps, Devcon, etc.



## 22-JUN Hands-on binary deobfuscation - From symbolic execution to program synthesis In this hands-on workshop, we will provide a gentle introduction to state-of-the-art approaches for modern binary deobfuscation. After a brief lecture on the fundamental ideas, we will walk through a practical demo to illustrate the whole landscape. Starting with a piece of unobfuscated code, we will apply Mixed Boolean-Arithmetic transformations to heavily obfuscate it. Then, we will use symbolic execution to retrieve the obfuscated expression from the compiled binary and attempt to simplify it with the aid of an SMT solver, while showcasing the limitations of such approach. Finally, we will leverage program synthesis to reason about and successfully recover the semantics of the obfuscated code. #### PREREQUISITES * Familiarity with x86 assembly, C and Python * Basic knowledge of reverse engineering **AUDIENCE** Beginner and Intermediate **DURATION** 2 hours lecture/demo **For the full version of this topic, check out Arnau's [An Analytical Approach to Modern Binary Deobfuscation](https://ringzer0.training/modern-binary-deobfuscation.html) training at #BACK2VEGAS.**

Watch the Video

Workshop Instructor

Arnau Gàmez i Montolio

22 JUNE 2022
8 am - 10 am pacific time
Arnau Gàmez i Montolio
Catalan hacker, reverse engineer and mathematician, with an extensive background in code (de)obfuscation research and Mixed Boolean-Arithmetic expressions, as well as industry experience as a senior malware reverse engineer. Founder of Fura Labs (@FuraLabs), a research and education firm on software security and reverse engineering. Co-founder and president of @HackingLliure, a non-profit association and hacking community. Speaker and trainer at several international security conferences.



## 27-JUN Initiation to Car Hacking: Discovering the CAN bus As vehicle are becoming more and more complex, with various on-board embedded systems and dedicated networks to share information between ECUs, the CAN bus remains the backbone of any car. This hands-on workshop will explain how the CAN bus works, what tools we can use to interact with it. You will have access to an interactive interface simulating basic functions of a car and a remote terminal to read / write on the virtual CAN bus. #### PREREQUISITES A computer with a browser and a terminal for SSH connection to the workshop container. **AUDIENCE** Any infosec / car enthusiast who want to dive into Car Hacking. **DURATION** 1.5 hours lecture/demo **For the full version of this topic, check out Philippe's [Quarkslab: Practical Car Hacking](https://ringzer0.training/practical-car-hacking.html) training at #BACK2VEGAS.**

Watch the Video

Workshop Instructor

Philippe Azalbert

27 JUNE 2022
8 am - 9:30 am pacific time
Philippe Azalbert
Philippe Azalbert (@Phil_BARR3TT) is a security researcher at Quarkslab. He works for several year on car security and his research interests also lie in embedded devices and software defined radio. He has presented the Car Hacking CTF at Barbhack and a talk on bypassing 2FA using a car.



## 29-JUN Bypassing security perimeters via vulnerable devices Devices are nowadays omnipresent, including in enterprises and critical infrastructures, where they are mostly placed behind multiple protection perimeters. Despite the presence of the security boundaries, several opportunities may still be available to an attacker. During this workshop, we will cover a few techniques to bypass such perimeters, leveraging vulnerable devices already present within the network. We will start by touching upon the concept of "browser pivoting", discussing which vulnerabilities may be suitable for such technique. We will then show and comment a demo, where an attacker on the Internet gains full control of a vulnerable device, by pivoting on a mobile phone browser on the same network, effectively bypassing all perimeters in one go. We will then focus on the LAN-side Cisco RV340 vulnerabilities, disclosed at Pwn2Own. We will first demo and comment a LAN-side root exploit. We will then show how, by using the techniques above and, where needed, by pivoting on already compromised devices, such vulnerabilities may be also exploited from WAN. Finally, we will discuss how an attacker with root privileges on a device, may also aim to compromise a TEE to achieve full control, access otherwise unobtainable secrets and/or to remain undetected on the system. TEEPwn will cover how to compromise a TEE, by identifying and exploiting critical vulnerabilities. #### PREREQUISITES * Familiarity with ARM architecture * Comfortable with reverse engineering (any architecture) * Basic exploit development **AUDIENCE** Security researchers (both devices-focused or not), Penetration Testers and Red Teamers **DURATION** 2 hours lecture/demo **For the full version of this topic, check out Cristofaro and Niek's [TEEPwn: Breaking Trusted Execution Environments](https://ringzer0.training/teepwn.html) training at #BACK2VEGAS.**

Watch the Video

Workshop Instructor

Cristofaro Mune

29 JUNE 2022
8 am - 10:00 am pacific time
Cristofaro Mune, Niek Timmers
Cristofaro Mune [@pulsoid](https://twitter.com/pulsoid) has been in the security field for 15+ years. He has 10 years of experience with evaluating SW and HW security of secure products, as well as more than 5 years of experience in testing and assessing the security of TEEs. He is a security researcher at [Raelize](https://raelize.com) providing support for developing, analyzing and testing the security of embedded devices. He has contributed to development of TEE security evaluation methodologies and has been member of TEE security industry groups. His research on Fault Injection, TEEs, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers. Niek Timmers [@tieknimmers](https://twitter.com/tieknimmers) is a security researcher at [Raelize](https://raelize.com) providing support for developing, analyzing and testing the security of embedded devices. He has been analyzing and testing the security of devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.



## 30-JUN SCAPY, from S to Y! Scapy http://www.scapy.net and https://github.com/secdev/scapy is a powerful Python-based interactive packet manipulation program and library. It can be used to forge or decode packets for a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. This workshop will describe its main features step by step, and will let you explore the following topics: * packets manipulation * sending and receiving packets * visualization * IPv6 and TLS support * implementing a new protocol * answering machines * automaton * pipes #### PREREQUISITES Linux (native or virtualized) and a fresh Scapy install from github **AUDIENCE** anyone with some basic Python knowledge and willing to discover the Scapy powers. **DURATION** 1.5 hours lecture/demo **For the full version of this topic, check out Guillaume's [IPv6 Network Security with Scapy](https://ringzer0.training/ipv6-security-with-scapy.html) training at #BACK2VEGAS.**

Watch the Video

Workshop Instructor

Guillaume Valadon

30 JUNE 2022
11 am - 12:30 pm pacific time
Guillaume Valadon
Guillaume Valadon holds a PhD in IPv6 networking. He likes looking at data and crafting packets. In his spare time, he co-maintains [Scapy](https://github.com/secdev/scapy) and learns reversing embedded devices. Also, he still remembers what AT+MS=V34 means! Guillaume regularly gives technical presentations, classes and live demonstrations, and writes research papers for conferences and magazines.



## 5-JUL A journey into malicious code tradecraft for Windows Malicious code is evolving to deal with the proliferation of security solutions equipped with complex detection systems. Even small enterprises are now protected by XDRs that monitor every suspicious action using user space hooking, kernel callbacks, ETW and implement automated and/or human-driven event correlation to detect and stop even the most advanced attacks. To make matters even more complex for attackers, operating systems have now implemented mature protection technology (such as Windows Defender Exploit Guard, Virtualization Based Security or Control-Flow Enforcement Technology), that rely on security extensions provided by modern processors to mitigate threats arising even from the most skilled malware developers. In this scenario, the attackers are more challenged, the golden age when encrypting implant’s strings using one-byte XOR was enough to bypass detection is gone. Today to attack hardened systems, protected with cutting edge security technologies, it is necessary to take care of every aspect of the implant and to deal with experienced and skilled operators. To this aim, the single implants evolved in multi-platform malware frameworks using a multi-stage architecture with dynamic loading of heterogeneous module that are most often protected with obfuscation layers to evade signatures. But this is not enough. In this workshop we will go through implants evolution from an attacker perspective, showing real examples to highlight what makes defenders’ life harder. Beware: this workshop contains live malware. Participants will be provided with a couple of samples to download and reverse engineer. To fully enjoy this workshop, please get your Virtual Machines ready. #### PREREQUISITES - Knowledge of assembly and C language programming - Reverse-engineering experience is a good plus **AUDIENCE** Beginner and Intermediate **DURATION** 2 hours lecture/demo **For the full version of this topic, check out Silvio and Antonio's [Windows Malware Implants OPSEC, Evasion and Anti-Reversing Techniques](https://ringzer0.training/windows-malware-implants.html) training at #BACK2VEGAS.**

Watch the Video

Workshop Instructor

Silvio La Porta, Antonio Villani

5 JULY 2022
8 am - 10:00 am pacific time
Silvio La Porta, Antonio Villani
Dr. Silvio La Porta is a Senior Cyber Security Architect designing security products and researching advanced detection technology for complex malware/APT. Silvio previously was a lead research scientist with EMC Research Europe based in the Centre of Excellence in Cork, Ireland. His primary research focus areas were real-time network monitoring and data analysis in smart grids to detect malware activity in SCADA systems and corporate networks. He was also leading Security Service Level Agreement (Sec-SLA) and end user security/privacy protected data store projects for hybrid Cloud environments. He is a frequent speaker in professional and industry conferences. Before joining EMC, Silvio worked as a Malware Reverse Engineer in Symantec’s Security Response team in Dublin, Ireland. Silvio holds a PhD in Computer Network Security from the University of Pisa, Italy. Dr. Antonio Villani spent the past years analyzing high level implants for top tier customers, providing detailed implementation information to support cyber-defense and cyber threat intelligence teams. Now, he uses his experience in the reverse-engineering of multi-stage implants to improve detection and response capabilities of endpoint security products. As a researcher he published in top tier conferences and journals and he participated in European research projects in the field of cyber resilience and data security. During its PhD he also worked in the field of malware research and digital forensics.



## 6-JUL Hands-on Reversing with Ghidra In this short hands-on workshop, we go over the major features of Ghidra, strengths and weakness, and how it compares to similar tools. We provide exercises that run on Mac, Windows, and Linux so bring whatever environment you got. If you’ve been waiting to take a look at Ghidra, now’s the time! #### Prerequisites * No reverse-engineering experience needed * Basic knowledge of programming **AUDIENCE** Beginner and Intermediate **DURATION** 2 hours lecture/demo **For the full version of this topic, check out Jeremy's [Reverse Engineering with Ghidra](https://ringzer0.training/reverse-engineering-with-ghidra.html) training at #BACK2VEGAS.**

Watch the Video

Workshop Instructor

Jeremy Blackthorne

6 JULY 2022
8 am - 10:00 am pacific time
Jeremy Blackthorne
Jeremy Blackthorne [@0xJeremy](https://twitter.com/0xJeremy) is a co-founder and instructor at the Boston Cybernetics Institute (BCI). Before BCI, he was a researcher in the Cyber System Assessments group at MIT Lincoln Laboratory. He was the co-creator and instructor for the Rensselaer Polytechnic Institute courses: Modern Binary Exploitation and Malware Analysis. Jeremy has published research at various academic and industry conferences. He served in the U.S. Marine Corps with three tours in Iraq and is an alumnus of RPISEC.



## 7-JUL Debugging with EMUX The EMUX IoT Firmware Emulation Framework currently provides near native userland emulation for ARM and MIPS IoT devices. EMUX is actively used Saumil's popular ARM IoT Exploit Laboratory training for over 5 years. The Debugging with EMUX workshop shall be in two parts: Part 1 (30 minutes) - Setting up EMUX in 7 minutes - A tour of EMUX internals - EMUX utilities - Tracing userland processes within EMUX Part 2 (90 minutes) - Debugging an ARM IoT target in EMUX - Debugging a MIPS IoT Target in EMUX - Crash dump analysis #### PREREQUISITES - Linux system with Docker installed (see SETUP section) - Working comfortably with the Unix command line - Familiarity with GDB command line usage **AUDIENCE** Beginner and Intermediate **DURATION** 2 hours lecture/demo **SETUP** - EMUX Docker container: https://github.com/therealsaumil - EMUX Website and documentaiton: https://emux.exploitlab.net/ **For the full version of this topic, check out Saumil's [The ARM IoT Exploit Laboratory](https://ringzer0.training/arm-iot-exploitlab.html) training at #BACK2VEGAS.**

Watch the Video

Workshop Instructor

Saumil Shah

7 JULY 2022
8 am - 10:00 am pacific time
Saumil Shah
Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognised speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”. Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.



Videos of Past Workshops