-
- #iot
- #chrome-and-friends: Chrome, V8, Blink, Mojo, etc.
- Linux kernel #todo
- expdev #todo
- fuzzing #todo
-
#meta-vr: Reference materials discussing other aspects of vulnerability research, such as the ethical considerations
-
CTFs (binary and reverse)
- pwn.college
- COMPSCI 390R Reverse Engineering & Vulnerability Analysis
- Course materials for Modern Binary Exploitation by RPISEC
- ctf-wiki
- Handbook for CTFers by Nu1L Team
-
CTF tools and writeups
- https://github.com/zardus/ctf-tools
- https://github.com/pwndbg/pwndbg
- https://github.com/hugsy/gef
- https://github.com/david942j/one_gadget
- https://github.com/niklasb/libc-database
- https://github.com/jakespringer/angr_ctf
- https://github.com/perfectblue/ctf-writeups
- https://github.com/balsn/ctf_writeup
- https://github.com/str8outtaheap/heapwn (outdated)
- https://github.com/david942j/ctf-writeups (outdated)
- https://github.com/scwuaptx/CTF (outdated)
- https://blog.dragonsector.pl/ (outdated)
- https://github.com/OpenToAllCTF
- Understanding glibc malloc
- how2heap
- dhavalkapil's Heap Exploitation short book
- House of Orange and FSOP - angelboy blog
- ptmalloc fanzine
- it's a bird, it's a plane, it's ptr-yudai's blog :)
-
Books, tutorials:
- Learn C :) C Programming Language, 2nd Edition
- The Shellcoder's Handbook: Discovering and Exploiting Security Holes 2nd Edition (outdated)
- Hacking: The Art of Exploitation, 2nd Edition
- Learn intel assembly :) Programming from the Ground Up by Jonathan Bartlett
- Learn what is ELF, the linker and loader Linker and Libraries Guide - oracle
- The Legend of R4ndom Tutorials
- Modern Windows Exploit Development by mtomassoli (outdated)
- Reversing: Secrets of Reverse Engineering 1st Edition
- Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation
- Phrack articles
- 0x00sec.org/u/_py
-
Mentality: You challenge yourself, (the more difficult, the better), you have passion, you are persistent, and you understand that failure is part of growing
- First 20 minutes of this talk explains what it means, i think, Attacking Chrome IPC: Reliably finding bugs to escape the Chrome sandbox
- The other side of the coin: Keep your brain and body healthy by sleeping, exercising, meditating, and taking vitamin D. If you don't, you might stress your brain to the point that, if you're genetically predisposed, you might win some kind of disease. Also, don’t stay seated for too long. After some time, stand up, stretch, and move around regularly. This will be good for your health and help prevent issues that often come with aging.
- Save bookmarks for anything you wish to learn in the future, and keep notes on things you have already studied
- Learning How to Learn: Powerful mental tools to help you master tough subjects
- The Process of Mastering a Skill
- The Importance of Deep Work & The 30-Hour Method for Learning a New Skill
- Paradox of Choice | Azeria Labs
- @netspooky's List of healthy reminders
In order:
-
- You will learn something about code auditing
- AOSS book (personal notes)
- TLPI book (personal notes)
- Teaching and Learning Software Analysis via SVF
- Variant analysis and taint analysis: codeQL, coccinelle, semgrep, joern, weggli
-
Do code auditing by your own, select a project, read docs, etc.
- use a code navigator (for example vim + cscope https://cscope.sourceforge.net/)
- increase the difficulty
-
The XY-Z method:
- You read a blog that talks about X by doing Y, but you can't understand its content
- Then you learn X so you can replicate Y, and then you add Z which wasn't done before, even if it's a small change
- pros: it boosts your confidence, you will remember the subjects studied more easily by practicing than just by studying the theory
-
The XZ-Y method:
- You read only the abstract of a blog that talks about X by doing Y
- Then you learn X, then you do Z, which is how you would have resolved Y without knowing how the author implemented it. Finally, you compare your results with the author's.
- pros: same as above + you learn how to think like a researcher
- cons: difficult maybe
-
Ideally, you should first follow the XY-Z method, and then the XZ-Y method
-
Follow the same path you have followed for the code auditing tasks, but this time, do fuzzing
-
- do the labs by following the XZ-Y method
-
Work in progress...
- IoT VR roadmap (hardware hacking excluded)
- binary analysis (binary lifting, binary rewriting, binary diffing, CFG, Data analysis, etc.)
- string analysis (string distribution)
- cross compilation == pain
- binary code scanners (cwe_checker, emba, etc.)
- Practical Binary Analysis book
- Learning Linux Binary Analysis 1st Edition, Kindle Edition
- Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation 1st Edition
- simple dynamic binary instrumentation with PythonGdb, 1, 2, 3, 4, 5, 6, 7
-
MiraclePtr https://security.googleblog.com/2024/01/miracleptr-protecting-users-from-use.html
-
https://github.com/keyou/chromium_demo
- Project giving a series of demos stressing some core components of the Chromium codebase. It's incomplete and partially translated into English, but still a decent way to get the hands dirty
-
ITW CVE-2024-5274, CVE-2024-4671
-
Let’s Understand Chrome V8 series [EN/CN]
-
https://github.com/plctlab/v8-internals [CN] (i will publish the translated repo + video soon)
-
seal9055 browser exploit series (partially outdated)
-
Blogs, etc.
- https://v8.dev/blog/pointer-compression
- https://jhalon.github.io/chrome-browser-exploitation-1/ (start here)
- https://ponyfoo.com/articles/an-introduction-to-speculative-optimization-in-v8
- https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/
- https://www.madstacks.dev/categories/v8-series/ (outdated)
- https://doar-e.github.io/blog/2019/05/09/circumventing-chromes-hardening-of-typer-bugs/ (outdated)
- https://blog.exodusintel.com/2023/05/16/google-chrome-v8-arrayshift-race-condition-remote-code-execution/
- Basics of v8, setting up debug env and reproducing CVE, https://www.matteomalvica.com/blog/2024/06/05/intro-v8-exploitation-maglev/
- Sandbox escape https://anvbis.au/posts/code-execution-in-chromiums-v8-heap-sandbox/, https://anvbis.au/posts/exploring-historical-v8-heap-sandbox-escapes-i/
- Conference talk: Modern attacks on Google Chrome (2023), https://www.youtube.com/watch?v=WouAptHlyC4
- V8's attack surfaces in 2024, xvonfers' opinion, https://x.com/xvonfers/status/1800246814463189054
- Javascript Engines Vulnerability Research: State of the Art (HITBxPHDays 2024), https://www.youtube.com/watch?v=YpsfQl0V_3k
- VXCON 2024 Workshop | Alisa Esage - Browser Exploitation Workshop,https://www.youtube.com/live/b9OhamkAY2I
-
Sea of nodes
-
TheHole object value
-
...
-
"FAQ: The tragedy of low-level exploitation"
- Gynvael Coldwind responds to a FAQ, which is "
How to get into a low-level exploitation and exploit development career ?
", and concludes with what the author calls "the tragedy of low-level exploitation
".
- Gynvael Coldwind responds to a FAQ, which is "
-
"Breaking Into Vulnerability Research: Dr Silvio Cesare - InfoSect" off-by-one 2024 talk
- The talk gives a brief intro of VR and then discusses the challenges of starting and running a company that specialises in vulnerability research. The typical problems likely faced ...
-
- A great episode that explains how the exploit market works from the perspective of security researchers (selling side)
-
"Fuzzing from First Principles with Alisa Esage" off by one security podcast episode
- The first part of the episode gives some lesser-known insights on fuzzing with a particular focus on probability distribution
-
- The first part of the episode covers the common exploit development lifecycle
- The second part, more interestingly, provides an example of the exploit development lifecycle for a Windows LPE demonstrated at Pwn2Own
-
CVE North Stars
- ref https://cve-north-stars.github.io/
- CVE North Stars introduces a method to kickstart vulnerability research by taking advantage of the CVE information freely available. This tutorial walks through practical CVE analysis, binary patch diffing, and root cause analysis.
-
Exploits.Club
- ref https://blog.exploits.club/
- Newsletter for exploit developers, vuln researchers, and hackers
-
Paged Out!
- ref https://pagedout.institute/
- Non-Profit, Community-Driven Magazine about Technical Hacking and Programming
-
AppSec Ezine
-
Off By One Security
- ref https://www.youtube.com/@OffByOneSecurity/streams
- Cybersecurity podcast discussing VR, rev, and expdev
- this is just my personal experience and should not reflect yours, so forgive me if I have skipped some important reference material 🤝
May want to add these articles in the Mindset part: