02-23, 18:30–19:15 (US/Central), Bootloader 📍Under The Oaks
Ever wondered how compiler mitigations are built? Or how a sophisticated build chain attack can target a compiler to place backdoors and other miscreants? Wonder no more, this hands-on workshop shows you how to build your own compiler pass, which can any source code you build to your liking. We'll learn how source code makes its way through the different stages of a compiler into its final binary form, how compilers perform modifications and optimizations of the code, and how they translate their view of the code to a given architecture's binary representation. Students will get a glimpse how some mitigations everybody knows and loves are actually implemented in a compiler. They'll work hands on with LLVM Clang, following along theoretical chapters of the workshop, and eventually they'll implement a Clang plugin themselves to sneak a backdoor into otherwise perfectly secure code.
Prerequisites: Linux computer or virtual machine or cloud instance
Start of workshop: Download and build your own LLVM clone
Introduction to compiler architecture
- Frontends, Backends, and Intermediate Languages
- Basic compiler passes
- GCC and LLVM Clang in a nutshell
Compiler plugins
- Passes vs. plugins, pros and cons
- Exercise: "Hello World" as a Clang pass
Compiler mitigations walkthrough
- How DOES a compiler build canaries?
- (AddressSanitizer at 10.000ft if time allows)
Lab: Homemade Backdoors
Description: We'll be working on a specially crafted application, which contains a function reading data into a buffer in a safe way. The exercise will be to remove sanitization checks and to modify the buffer so that memory corruption becomes possible. Students will receive a skeleton Clang plugin, and will be walked through code constructs needed to locate the target function, the checks and the buffer, and to perform the requested modifications. The students themselves will complete the plugin and verify its efficacy.
Marion Marschalek is a Senior Security Engineer at AWS, where she advises efforts to build threat detection solutions based on machine learning and AI. Priorly she held an offensive security research position at Intel and different roles in the threat detection industry, as a malware reverse engineer and incident responder. Marschalek is the founder of BlackHoodie, a hacker bootcamp for women, which is established as a global initiative to attract more diverse talent to the security industry.