DeepSec 2019 Training: IoT/Embedded Development – Attack and Defense Lior Yaari
Every developer makes mistakes. If you are unlucky, these mistakes result in a security vulnerability, an almost untraceable bug for the normal developer. Going around the world, helping developers to find and understand the vulnerabilities they’ve accidentally created, we learned that unlike bugs, vulnerabilities are invisible to the eye, mind and UT. No one teaches developers how an attacker thinks, what computers security mechanisms are capable of (and what not), and how to avoid creating possible security mistakes endangering your customers.
In this course we will teach you the basics of Embedded Devices security from the beginning: How vulnerabilities are created and how an attacker approaches a new device. From the internals, – physical manipulations, buffer overflows, memory corruptions, timing attacks, all the way to the solution: How to avoid common mistakes and even the uncommon ones. We will learn both how to detect such mistakes, and how to prevent them.
Don’t expect to learn the secure development basics you can find on Google. Meeting with dozens of developers we mapped development patterns and misconceptions that led to security issues, and hope to help you understand not just about the technical mistakes (“check the buffer size before coping”) but to develop a thinking pattern that will help you to detect the next security flaw, use it or close it. Each lab day will consist of lectures and hands on hacking exercises , vulnerability mitigation exercises, along with tips on how to avoid and detect security flaws.
We asked Lior a few more questions about his training.
Please tell us the top 5 facts about your training.
- I believe that for real and deep understanding of a subject you need to practice it – so every lesson I teach comes with hands on exercises.
- All materials are based on real stories and vulnerabilities I encountered during my work as an embedded security researcher. Join if you wish to hear the stories as well.
- This is the 5th training workshop I built, but the first commercial one. All past workshops are used by the military cyber training, and the oldest one of them is 5 years old and still rocking.
- I can talk about embedded security for a month, this training contains the top most important subjects I think people should begin with.
- Anyone interested in security can join! The workshop is built so that it would be interesting and beneficial for both new comers and experienced engineers. Lab materials differ so that each participant faces challenges that are relevant to him.
How did you come up with it? Was there something like an initial spark that set your mind on creating this training?
As part of my line of work as a security researcher I perform “code security assessments” in which I met with developers from all around the world: India, Singapore, France, Germany, Romania and more. I was reviewing their source code, looking for vulnerabilities. Obviously I found many vulnerabilities, but that was not the interesting part of the job. What fascinated me most was the reaction of people discovering their system is not safe as they thought – grave sadness, uncontrollable laughter and most importantly a great spark of interest. Everyone I met was eager to learn more about security and to become a better developer, security manager, VP R&D, better for the next round.
Right before I would go the managers would ask me: “Lior, How can we teach everyone here to avoid those mistakes? To write safer code?” I did not have an answer, but now I do. Understanding the need for secure development training both for developers and researchers is what made me start my own business that offers end to end solutions – we find vulnerabilities, help you fix them, and teach you to avoid them.
Why do you think this is an important topic?
IoT and embedded devices is the fastest and biggest growing market of the technological industry, and their security standard is terrible. Vulnerability research for embedded devices is equivalent to Windows research in the 90’s.
If we don’t want our fridges, vehicles, medical devices and smart homes to be hacked – embedded security should concern us. I think every developer those days needs to understand the importance of security, and how to implement it in his code and that every researcher needs to understand the opportunities they face.
Is there something you want everybody to know – some good advice for our readers maybe?
Security is complicated. It is impossible to teach in two days, or even in two months. But a little is better than nothing, and every organization needs to think of security when planning its’ goals. So my advice would be – always plan for security. Otherwise you will regret it when things will go south.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?
There are plenty of great IoT and embedded startups, with some of whom I work closely. The biggest gap in IoT and embedded security is knowledge, but it could be partially closed by other means: means that would prevent a developer from creating a vulnerability, before the product is out. Some of these technologies are out: static code analyzers or library control tools. And some are on their way: Automated fuzzing, firmware analyzers and more. Sadly, these solutions have a major downfall – they are f***ing expensive. IoT giants might use them, but the little startups would struggle. And the results? A growing cyber threat, and a growing market for solutions.
Who Should Attend
- Embedded/IoT engineers and developers who wish to understand security and avoid security coding mistakes
- Web/Network security experts who with to get the basics of low level security
- Everyone who is interested in embedded/IoT vulnerabilities, from the basics to advanced subjects.
Who Not Should Attend
- Experienced low level vulnerability researchers
- IoT advertisers
- Knowledge in C/C++ and Python is recommended. If you miss one of them, it is OK. The workbook will guide you.
- Basic knowledge in Linux command line
- Laptop with 4GB+ RAM. Preferably with Windows OS
- Installing the software pack that will be supplied a few days before the training.
Morning: Introduction to Cyber Security:
– What are vulnerabilities
– Famous attacks
– How a vulnerability is created
– Vulnerabilities types and classification
– The mind of an attacker
Noon: Memory Corruption Vulnerabilities
– Complied programs memory layout
– Buffer overflows + Lab
– Format string attacks + Lab
– Integer overflows + Lab
– Command Injections
– Summary – how to find and avoid
Morning: Cryptographic Security Mechanisms and How To Use Them
– Common usage mistakes
– Summary – how to find and avoid
Noon: Embedded Devices Attacks
– TOCTOU attacks + Lab
– SPI intrusion
– Memory swaps
– Gliching + Lab
– Summary – how to find and avoid
– Final exercise – finding and fixing vulnerabilities in large code
Lior is an expert in embedded security research. After more than six years as a technological officer in the Israeli military, he joined the cyber security industry as a vulnerability researcher for autonomous vehicles. More than 40 vulnerabilities later he decided to share his knowledge in order to help the world avoid the next security breach. His consulting company, Imperium Security, aims to teach every developer to secure his own code. Lior has been rated one of the top lecturers of Israeli military technological trainings for the past 5 years, every year.
About Imperium Security: Imperium is a consulting company that helps embedded devices companies globally to secure their products. The company performs security assessments – finding vulnerabilities in source codes, security design consulting, and secure development training’s for developers.