CanSecWest: Security Masters Dojo Vancouver
Java Security, Understanding Threat Patterns, And Optimize The DefensesRegister for March 4-5 Course
Most trainings about Java security focus on the Security API or crypto techniques, and rarely focuses attack and defense on the runtime code itself. This training uses both perspectives, first it addresses the security architect/analyst PoV, and shows approaches how to identify holes in the protection infrastructure and how to close them. For this purpose we present tools like fine-tuning the Java Security Manager, identify potential security bugs with static and dynamics tools, also dive into details to work efficiently with decompilers, debuggers and other tools of the trade (like JVisualVM).
The second part focuses on the attacker perspective and helps to validates protection mechanisms. First it provides knowledge about the attack surface of Java-based software and then presents the attachers mindset to break the defenders assumptions. Using runtime code expertise to identify hooks to execute own code or remote control existing code is an important skill, demonstrated with analysis of real-life OpenJDK code and malwave dissection.
- Java Security
- The View of the Defendor
- Understanding Runtime Security Mechanisms
- Reconstruct application logic: Reverse Engineering
- Taking the view of the Attacker
- Attack Types
- Metasploit and Java
- Fuzzing in a Java context
- Understanding Java Malware
- Misusing Enterprise Frameworks
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
Participants should have previous security audit experience (C,C++,Java). This includes conducting source code analysis, static analysis, overview knowledge of common exploitation techniques, runtime instrumentation, debugging post-exploitation activities. You will benefit from experience with programming in the Java Programming Language before. Students are expected to be familiar with the basic principles of Java Programming, and by that be familiar with the API of the fundamental system libraries. Participants should know to handle the standard of procedures of developing Java programs (be able to start the compiler and runtime tools using the command line). Additionally they should be comfortable configuring JRE settings and perform low-level code analysis, including reverse engineering.
The material presented throughout this course is focused to support the theoretical fundaments with practical examples. Being exposed to real-life examples, the ability to think around the corner and even outside the box is helpful. Nevertheless, the trainer will help you to stay on track.
For the practical parts a virtual machine environment will be provided. For that the student will need a intel based laptop (2Ghz), having at least 2GB of RAM, with a current version (4.2+) of VirtualBox installed.
What to Bring
Students will be provided with a customized work environment utilizing a Virtual Machine image. Students will need to bring their own laptop with:
- Laptop with 2 GBs of RAM (4 GB preferred)
- a preconfigured VM will be provided, make sure to have VirtualBox installed
- 15G free hard disk space