BlackHoodie at Hexacon 2024
A new BlackHoodie event appears! We are thrilled to announce that thanks to Hexacon awesome team, we’ll be hosting 3 workshops at Espace Vinci in Paris. The event will take place over four days, right before the conference. And for the icing on the cake, some badass trainers answered our call to share their knowledge and their skills:
- Juliette and Jessica will introduce the attendees to the fantastic world of Reverse Engineering;
- Jiska will present you awesome tips and tools to tackle Android and iOS binaries in her 2 days long workshop;
- Eloïse (a.k.a. Eloïse Broca) will let you experience firmware extraction and analysis.
Come meet us end of September, we’re waiting for you!
TL;DR:
What: Class on low-level security topics, introductory and intermediate
When: September 30th to October 3rd 2024 - 9am-5pm
Where: Espace Vinci, Rue des Jeuneurs, Paris, France
Who: Women
Registration: fill form here, closing on September 15th or when all the seats are taken
Fees: The training and food are free; travel and accommodation is responsibility of attendees.
Intel x86-64 assembly introduction
Trainers: Juliette and Jessica are part of the incident response team in ANSSI (French National Cybersecurity Agency) and are specialized in binary reverse engineering.
This workshop introduces Intel x86-64 assembly by debugging and disassembling small snippets of code. This aims to teach the basics of reverse engineering by understanding how compiled code is rendered in assembly and how to write a small assembly program.
In this workshop will be introduced
- Most common assembly instructions
- Loops/control flow in assembly
- calling conventions
- How to use Ghidra to see the disassembly/decompiled code
- How to write a small assembly program”
Mobile Reversing and Security Analysis (iOS & Android)
Trainer: jiska a.k.a Jiska Classen is a wireless and mobile security researcher, leading a research group at Hasso Plattner Institute. The intersection of her research topics means that she digs into iOS internals, reverse engineers wireless firmware, and analyzes proprietary protocols. Her practical work on public Bluetooth security analysis tooling uncovered remote code execution and cryptographic flaws in billions of mobile devices. She also likes to work on obscure and upcoming wireless technologies, for example, she recently uncovered vulnerabilities in Ultra-wideband distance measurement, reverse-engineered Apple’s AirTag communication protocol, and published about Apple’s satellite communication implementation.
She has previously spoken at Black Hat USA, DEF CON, RECon, Hardwear.io, Chaos Communication Congress, Chaos Communication Camp, Gulasch Programmer Nacht, MRMCDs, Easterhegg, Troopers, Pass the Salt, NotPinkCon, gave various lectures and training, and published at prestigious academic venues. Jiska Classen gave iOS and Android security at TROOPERS, Nullcon, and Objective by the Sea, and has teaching experience from creating own lectures and labs as a postdoctoral researcher at TU Darmstadt.
Worshop description
Mobile Reverse Engineering 101 In this beginner-friendly training, you’ll learn the fundamentals of mobile reverse engineering on iOS and Android devices.
On the first day, you’ll step into the shoes of a malware analyst. The training starts with an introduction to the fundamentals of reverse engineering Android applications. With these basics, you’re all set to look into an Android app, which masquerades as an Instant Messenger, but hides various malicious functionality in both Kotlin and native code. Let’s figure out what the app is doing, which information is leaked, and to whom!
On the second day, you’ll learn how to review the security of a complex iOS app, which includes an App Extension and a mix of various programming languages. After an exploration of the app’s basic functionality, you’ll learn how to make a proper threat model prior to security testing. Based on this, let’s find and trigger a bug in the app!
This training teaches all methods and tools required to follow mobile pentesting guides, such as OWASP Mobile, while also providing you with the basics to build your own security analysis tools where needed.
Day 1 – Android
- The internal structure of an Android app.
- Static analysis of applications written in Java/Kotlin using Ghidra and jadx.
- Android specifics: Java virtualization, native libraries, JNI, …
- Dynamic instrumentation of applications that mix Java and native code using Frida.
- Android security boundaries: Intents, content providers, Binder, SELinux, sandboxing.
- Inter-process communication: Understanding Binder internals and tracing its interactions.
- Using existing tools to bypass TLS certificate pinning and root detection.
Day 2 – iOS
- Apple’s public documentation and source code.
- Attack surface and threat modeling: How to approach an App from a security point of view.
- The Apple App Store security model: Code signing, App Review, Entitlements, the iOS sandbox, and TCC.
- The internal structure of an iOS application: metadata and resources in Application Bundles, third-party frameworks, AppExtensions, and Mach-O internals, Fair- Play DRM & decrypting iOS Apps, introduction to the DYLD Shared Cache.
- Static analysis: Navigating through larger binaries, Objective-C and Swift calling conventions and name mangling.
- Dynamic analysis: Writing stand-alone Frida scripts to inject data and trigger bugs.
- Reading and interpreting crash logs.
Training prerequisites
Basic programming knowledge, ideally one of the following programming languages: Python, JavaScript, C/C++, Java/Kotlin, Objective-C/Swift. Optional: Mobile app development background.
What to bring
- Laptop that can run Android Studio and an Android Virtual Device, with an Internet connection and possibility to install additional software. Android Studio must be installed on your host and cannot run inside a VM.
- The laptop should be running macOS or Linux. If you are on Windows, you’ll need to run a Linux VM with the tools for the iOS part of the training, including support for forwarding USB devices.
- Your laptop needs at least 8GB of RAM on macOS and Linux, or 16GB of RAM if you’re on Windows. Your rooted Android devices can be used as well, but we won’t be able to provide support for this. If you do have jailbroken iPhones and could bring those, that would help us a lot – please let us know in advance, including the jailbreak that you’re using.
Who should attend?
This training is aimed at anyone interested in mobile app security, including up and coming pen testers, security or vulnerability researchers, or app developers.
An Introduction to Firmware Cartography and Analysis
Trainer: Eloïse Brocas is a security researcher and reverse engineer at Quarkslab.
This workshop will introduce attendees to the world of firmware analysis. It will discuss only structured firmwares—i.e. firmware containing a file system—by opposition to monolithic firmwares also known as bare-metal firmwares. Students will discover two major steps of this analysis workflow which are also the most firmware specific ones: extraction of the filesystem and its cartography.
Various open-source tools will be introduced, including two developed by the trainer: Pyrrha [1], a mapper collection for firmware analysis, and its underlying API Numbat [2]. Based on this latter, attendees will be able to develop their own cartography tools with a nice UI. All along this workshop, a strong focus will be made on the tasks that could be automated by some existing or future tools but also on the limits of this automatization.
[1] https://github.com/quarkslab/pyrrha
[2] https://github.com/quarkslab/numbat
What do you need to follow this workshop?
This workshop requires attendees to be able to script in Python. The exercises will be adapted to each attendee level and wishes. At the end of the day, attendees will be able to chose which topic they want to dig in: tooling creation, firmware analysis and discover few vulnerabilities in a real life firmware, or, simply take some time to finish exercises and rediscuss some topic of the day.
What is BlackHoodie?
BlackHoodie is a free, women only reverse engineering workshop and community. More information can be found here: https://www.blackhoodie.re/about/
Why women-only?
One qualifies to attend an in-person bootcamp either if born and raised female, or if one identifies as a woman. This concept of women-only has no intention of putting up walls or feeling exclusive. Blackhoodie is about creating space in an industry that’s very competitive. It is a comfortable place, where attendees feel encouraged to grow skills without pressure. We do what we do, not to create women-only bubbles, as contradicting as it might sound, but to enable a minority to enter the security space, learn skills that are otherwise expensive to learn, find their interests and grow a professional network.
And, it works. BlackHoodie alumnae have gone far beyond being successful in the classroom since the workshop series started. They ventured out to start community projects and collaborations, got themselves new jobs in the security industry, went to speak at major security conferences, joined review boards and become influencers in our community. Many went on to mentor others after they had found their spot, came back to BlackHoodie to give trainings on their own or are now conference trainers and teach classes to the community.
Finally, why does the security industry need more women at all? The industry is growing and facing a talent shortage. More importantly, jobs are typically well paid, come with certain privileges, and are challenging and often fulfilling. And we do firmly believe our society as a whole can only benefit from having more women with money, independence and confidence. Likewise, the tech sector has grown in size and influence, and with great power comes great responsibility – responsibility best shared among a diverse body of decision makers.