Rediscovering the Art of Vulnerability Discovery [04/24/24]

Introduction to My Chronicles

If you've been keeping up with my adventures, you know I've dived back into low-level vulnerability discovery and research. Recently, I took some time to refresh my understanding of low-level code (assembly) and architecture review, particularly of ARM systems. Given that most systems I work on these days are aarch64, it was important for me to get updated on the current state of affairs. Let me tell you, while things have changed, the foundational concepts remain the same.

There are some fantastic resources/reading materials on Arm assembly and internals. One of my favorites is Azeria's - Arm Assembly Internals and Reverse Engineering which quickly immerses you into the internals with just the right amount of context.

Facing Challenges and Choosing a Path

Coming back to the world of vulnerability discovery and exploit development, I struggled most with choosing a methodology to follow. With a decent understanding of assembly and code auditing primitives, I needed something more hands-on and course-driven to bring me up to speed.

Setting the Requirements

Here are the requirements I set for myself to ensure the journey was both successful, enjoyable and maybe...profitable:

The requirements:

• Must be self paced
• Can dedicate at least 3-4 hours daily (nightly)
• Narrow research to only macOS and Linux (can be specialized)
• Can apply methodology and practice immediately

I am sure there are more missing but those were some the top of mind items. Which lead me to zerodayengineering.com (ZDE) founded by Alisa Esage. Alisa offers a few different training courses that are technically sound and well organized. When I explained to her a bit of my background, she knew almost immediately what I was missing was a systematic foundation. Which to me was the 💡 moment. Every time I start my journey in vulnerability discovery research, I am often puzzled with questions like:

• Where do I start?
• What is my target?
• Why is it my target?
• What attack vector should I focus on?

While the first three questions are good, the last and several others not mentioned get way into the weeds to quickly. More on that later.

Course choices

After a few back and forth we came to conclusion that:

• Zero Day Vulnerablity Research course was a good starting ground
• Hypervisor Vulnerability Research would be the next best course for daily bug hunting hobby. Mainly because newly introduced technology and protocols being added often.

Course Experience and Key Takeaways

I am happy to say, the guidance was right. I bought the Zero Day VR course and loved every bit of it. The course is beginner friendly but also to indiviuals who have experience and need a refresh like me. It met the mark of being self paced and had a good methodology I now incorporate into practice. Giving me the system foundation I have been missing.

Some (not exhaustive) key take aways from the course:

• Mindset is important
• Be hypothese driven
• Theorical analysis and Hypothetical reasoning are continous practice
• Dive deeper and be more detailed
• Have a clear mental model, no need to dive deep in code immediately
• Pomodoro technique is awesome and can help focus on big picture (or complex one)
• Practice, practice, practice

Now, I purposely dont delve into all the intricate details here because if you are interested, you should take the course yourself. Additionally, the syllabus linked on the website provides a good overview. There are some masterclasses available if you want to dip your toes into it. That's one of the reasons I've decided to enroll in the full Hypervisor VR course. But to give you an idea of how beneficial the course was for me:

• Day 1-6: Began and completed course materials.
• Day 7: Chose my target application and started vulnerability research on an application that provides integrated mail, calendaring and address book functions.

• Day 8/9: Identified more than two bugs leading to exploitable vulnerabilities:

  • Use-after-free
  • Buffer Overflow
  • Format string vulnerabilities

The results speak volumes. I would recommend this course time and again, and if you have the opportunity to take it live or in person, it's a no brainer. As I continue with more vulnerability research, I'll keep posting about my journeys. If you have any questions or want to share your experiences, feel free to reach out for a chat.

Now, What challenges have you faced in your vulnerability research?