Easy way to learn more about WebAssembly Security !!!

Next Public Trainings 2019

Our WebAssembly security trainings are also available on-site at the location of your choice.

  • webassembly training patrick ventuzelo reversing fuzzing
  • Dates: 13th – 15th October 2019
  • (3 days)
  • Hosted by: HITB + CyberWeek 
  • Location: Emirates Palace, Abu Dhabi, UAE
  • Instructor: Patrick Ventuzelo
  • Availability: 20 Seats
  • Language: English
  •  
  • More details: here

Trainings are also available at a location of your choice.

More details: here

WebAssembly Security
"From Reversing to Vulnerability Research"

This courses will give you all the prerequisites to understand what’s a WebAssembly module and its associated virtual machine. At the end of this intensive 4 days, you will be able to reverse statically and dynamically a WebAssembly module, analyze its behavior, create detection rule and search for vulnerabilities and security issues. You will learn which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will discover how to find vulnerabilities inside WebAssembly VMs (Web-browsers, Standalone VM) using differents fuzzing techniques.

Along this training, students will deal with a lots of hands-on exercises allowing them to internalize concepts and techniques taught in class.

COURSE OUTLINE

Day 1 – WebAssembly Reversing

Introduction to WebAssembly
WebAssembly VM architecture
WebAssembly toolchain
Writing examples in C/C++/Rust/C#
Debugging WebAssembly module
WASM binary format (header, sections, …)
WebAssembly Text Format (wat/wast)
WebAssembly Instructions set
Writing examples using WASM Text format
Reversing WebAssembly module
CFG & CallGraph reconstruction
DataFlowGraph analysis
Browser Addons reversing

Day 2 – Real-life Modules Analysis

Modules Instructions analytics/metrics
WASM cryptominers analysis
Pattern detection signatures (YARA rules, …)
Taint Tracking
Dynamic Binary Instrumentation
Bytecode (De)-Obfuscation techniques
Static Single Assignment & Decompilation
Real-life WASM module analysis
Hacking WebAssembly video game

Day 3 – Wasm Modules Vulnerabilities

Traps & Exception handling
WebAssembly module vulnerabilities
Integer/Buffer/Heap Overflows
Advanced vulnerabilities (UaF, TOCTOU…)
CFI Hijacking
Emscripten vulnerabilities
Exploitation NodeJS server running wasm module
Vulnerability detection (Static & Dynamic)
Lifting WASM bytecode
Fuzzing WebAssembly modules

Day 4 – Vulnerability Research inside Wasm VM

Web-Browsers vulnerabilities analysis (CVEs PoC)
WebAssembly VM & Interpreter vulnerabilities
WebAssembly JS APIs generation
Fuzzing Web-Browsers (Chrome, Firefox, WebKit)
WASM module validation mechanism
Writing edge case module
WAT, WAST & WASM grammar generation
Interesting VM targets (kernel, blockchain, …)
Fuzzing C/C++/Rust/Go based WASM project
WebAssembly for Security Researcher

Training

WebAssembly Security training wasm patrick ventuzelo

New to WebAssembly? Unfamiliar with WebAssembly security? Our security trainings focus are designed to familiarize engineers, developers, designers and security professionals of any level.

Check out the training content we can offer.

Services

WebAssembly Security training wasm patrick ventuzelo

Are you developing a new WebAssembly module or dealing with a cryptominer? Do you want to put an existing C/C++/Rust/… code under the test? Need someone to evaluate solutions and services for you?

Check out the services we can offer.