Reverse Engineering basics talk @ Computer Security 2008/2009

Yesterday as part of the 2008/2009 academic year edition of the "Computer Security" course I, alongside Josu Lopez had the chance to release a paper and perform a talk explaining some quite basic notions on reverse engineering, making a strong emphasis in it's use for vulnerability research and exploit development. We divided the talk in several parts where we progressed progressively from the definition of what reverse engineering is up to a live demo showing an actual exploit own a virtualized SuSE 9.0 box. We began by making a brief explanation of what reverse engineering is in general and reverse code engineering in particular. In order to not focus so much in the academic definition, we enumerated some examples were this discipline of ours is actively being used (AV Industry, Security Companies, Interoperability, ...). Then we proceeded to expose some of the tools (and the motivations behind them) available for researchers that can help immensely in the research process. To avoid excessive detail, we focused on disassemblers for static analysis and debuggers for dynamic analysis (anybody said IDA and OllyDbg? :-). Trying to be fair with the UNIX world, we also covered some tools commonly used in this platform. After the environment was hopefully clear in the audience's mind, we moved onto explaining what a security bug like a buffer overflow was and how it looked like. To not over-extend ourselves and avoid further mess among the audience, we focused in the vanilla, all-time classic, Stack Buffer Overflow. Josu did a great job on this one and performed a very convincing speech. Once all the backgroung was explained, we moved onto the actual live demo. For the task we ran the excellent example %strong Jon Erickson built for his masterpiece "%a{:href => "http://nostarch.com/hacking2.htm", :target => "_blank", :title => "The art of exploitation"}> The Art of Exploitation", the 'tinyweb' web server. As shown in the book this server has a critical request validation vulnerability that allows us to place a requets of arbitrary length inside a fixed 540 byte stack buffer. As stated in the beginnig of this article, we ran the vulnerable app inside a SuSE 9.0 VM and attacked it with a slightly modified exploit from the one exposed in %a{:href => "http://www.morenops.com/blog/?p=167", :target => "_blank", :title => "tinyweb: going remote"} one of my previous articles. The audience looked quite enlightened with the demo and afterwards we gave them a chance to ask some questions. To sum everything up, we ended up with a 45 minute talk. It was a great experience to be able to explain this little passion of mine in front of an audience, let's hope it's not the last. You can find both the paper and the slides in the %a{:href => "http://www.morenops.com/works.html", :target => "_blank", :title => "Works"} works sections of the site. P.D.: The paper and the slides are in basque, but with the titles and pictures, you can get a pretty accurate idea.