Last Class

Alright, so let's reflect a bit.

• This was a fun group.
• I feel like we have some crazy stories that unite us.
• A ton of you understand low-level x86 exploitation now.
• Many of you approached the class with "the right" mindset.
• Some put themselves into a weird "catch-up" loop that maybe stole the joy.
• The CTF team got stronger from this shared experience for sure.
• I added a lot of analogies to the aresnal that may or may not help me teach this stuff better in the future
• We definitely had double bell-curve effects, but not from ability, more from timing, life circumstances, other classes, etc.

Did you grow from the experience?

• Certainly you know more about how your CPU works than you did before
• You could probably jump into PWNing as an eSport
• I hope you learned to overcome "static", that feeling when something new and difficult is a little too intimidating at first. If you can get yourself out of static mode, nothing can stop you.
• How about interation loops? Seeing why something failed is infinitely better than trying and guessing at the source of failure.
• Maybe bravado, "if that dude can do this then so can I".
• Hopefully a bit of agency, learn it because it's interesting not because you're forced to.

Collection of Analogies without context

• Jon Snow
• Elite Praetorian Guards
• Real Estate food truck
• Geo Caching
• Battleship
• Cutting the worm
• Mom's Spaghetti
• Kindergarten cubby theivery
• Rule of Ryan
• Grocery Store Shopping
• Pound of Flesh
• Bullet Hell
• Eating food from the Recycle Bin
• Calling the librarian

Secure Software Design: The Other Versions

So there are other approaches to learning secure software design.

One is to learn the lessons and procedures of the rest of the industry and become an advocate for following generally good advice. Here's what that kind of looks like:

Head to the SEI C Standard. Poke around a bit.

Here I could have stayed on the dev side the whole time, and we could practice looking at writing code that follows these types of rules. Maybe contextualize them with some case studies or something, but to internalize the right way to code low-level products.

There is a high chance that this would be more practical for a corporate coding position.

Given a set of rules like this we could use a "static analysis toolchain" to evaluate source code for violations of these rules.

Checkout ROSECHECKERS the corresponding rules checker.

This is sort of like TypeScript and Linting as general software practices.

These days you can probably get an LLM to make a static analyzer for you based on your preferences.

Why I didn't

I'd get bored.

Also I think that learning rules from on high doesn't foster the intellectual power I want for you.

Like if someone gives you a life rule to follow, like never walk under a ladder. You follow it. They die. You keep spreading the rule. We end up spreading ladder rules to everyone and no one really knows why.

My version of that is to walk under some ladders, get hit in the head, have other people walk under ladders and you hit them in the head. Now you understand when to get worried about ladders, when not to, and more importantly to pay attention to the crazy people on ladders and their hammers rather than the ladder itself.

Call it FIRST PRINCIPLES thinking.

Do I think the CMU students in their version of this class will make more secure code than you? Well maybe. But I expect you to be more likely to discover the next wave of exploits.

How about SDL?

Let's look at the more DevOps version of Secure Software Design:

Look at a NIST Secure Software Development Framework

How about Microsoft's version: SDL

Maybe I'm just never grew up, but I think that these sort of things are dehumanizing. "Let us create procedures and rules for how things are done here." This is thinking from the era of needing factory workers. I say build your people up and hire slowly and carefully. Foster their sense of ownership in those teams. We aren't replaceable parts.

This is purely my preference for how life ought to be lived. So we did hacking.

How about the industry?

Let's poke at the MITRE ATTACK framework.

There are some roles in a large cyber team that are worth knowing about:

• Incident Response
• Threat Intelligence
• Forensics
• Red Team (sneaky)
• Pentesters (sledgehammer)
• Threat Hunting
• Internal Threats
• Risk Assessment
• Compliance
• Employee Training
• Malware Analyst

PWNing Gaps

So you want to be a 1337 h4x0r?

What did I not teach you (probably because I suck at it):

• how2heap has a TON of other exploits
• Other targets
• Kernel PWNing
• ANGR for Awesome REVing
• ARM pwning
• MUSL C
• RUST pwning
• JIT hacking via browsers
• C++ pwning
• Java pwning
• Python pwning

Thanks for a great semester

Had a blast, hope you got a lot of value.