IoT/Embedded Development - Attack and Defense

Presented at DeepSec 2019 „Internet of Facts and Fears“, Unknown date/time (Unknown duration).

Every developer makes mistakes. If you are unlucky, these mistakes result in a security vulnerability, an almost untraceable bug for the normal developer. Going around the world, helping developers to find and understand the vulnerabilities they've accidentally created, we learned that unlike bugs, vulnerabilities are invisible to the eye, mind and UT. No one teaches developers how an attacker thinks, what computers security mechanisms are capable of (and what not), and how to avoid creating possible security mistakes endangering your customers. In this course we will teach you the basics of Embedded Devices security from the beginning: How vulnerabilities are created and how an attacker approaches a new device. From the internals, - physical manipulations, buffer overflows, memory corruptions, timing attacks, all the way to the solution: How to avoid common mistakes and even the uncommon ones. We will learn both how to detect such mistakes, and how to prevent them. Don't expect to learn the secure development basics you can find on Google. Meeting with dozens of developers we mapped development patterns and misconceptions that led to security issues, and hope to help you understand not just about the technical mistakes ("check the buffer size before coping") but to develop a thinking pattern that will help you to detect the next security flaw, use it or close it. Each lab day will consist of lectures and hands on hacking exercises , vulnerability mitigation exercises, along with tips on how to avoid and detect security flaws. Who Should Attend • Embedded/IoT engineers and developers who wish to understand security and avoid security coding mistakes • Web/Network security experts who with to get the basics of low level security • Everyone who is interested in embedded/IoT vulnerabilities, from the basics to advanced subjects. Who Not Should Attend • Experienced low level vulnerability researcher Prerequisite Knowledge • Knowledge in C/C++ and Python is recommended. If you miss one of them, it is OK. The workbook will guide you. • Basic knowledge in Linux command line Hardware/Software Requirements • Laptop with 4GB+ RAM. Preferably with Windows OS • Installing the software pack that will be supplied a few days before the training. Agenda Day 1: Morning: Introduction to Cyber Security: - What are vulnerabilities - Famous attacks - How a vulnerability is created - Vulnerabilities types and classification - The mind of an attacker Noon: Memory Corruption Vulnerabilities - Complied programs memory layout - Buffer overflows + Lab - Format string attacks + Lab - Integer overflows + Lab - Command Injections - Summary - how to find and avoid Day 2: Morning: Cryptographic Security Mechanisms and How To Use Them - Hashes - Encryption - Signatures - Common usage mistakes - Summary - how to find and avoid Noon: Embedded Devices Attacks - TOCTOU attacks + Lab - SPI intrusion - Memory swaps - Gliching + Lab - Summary - how to find and avoid - Final exercise - finding and fixing vulnerabilities in large code

Presenters:

  • Lior Yaari - Security Researcher and Founder of Imperium Security
    Lior is an expert in embedded security research. After more than six years as a technological officer in the Israeli military, he joined the cyber security industry as a vulnerability researcher for autonomous vehicles. More than 40 vulnerabilities later he decided to share his knowledge in order to help the world avoid the next security breach. His consulting company, Imperium Security, aims to teach every developer to secure his own code. Lior has been rated one of the top lecturers of Israeli military technological trainings for the past 5 years, every year. About Imperium Security: Imperium is a consulting company that helps embedded devices companies globally to secure their products. The company performs security assessments - finding vulnerabilities in source codes, security design consulting, and secure development training's for developers. [www.imperium-sec.com](http://www.imperium-sec.com)

Links:

Similar Presentations: