Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Day 1 of Intro RE class videos posted

Topic created on: July 3, 2012 18:37 CDT by xsk .

And can be found on youtube via this link:
http://www.opensecuritytraining.info/IntroductionToReverseEngineering.html


Day 2 is still being edited. And a 2 day follow on class specifically about x86 malware static analysis has been taught. But while the class materials will soon be made available to any one already knowing the topic and wishing to teach a class on it, unfortunately not recorded due to scheduling conflicts, so videos for it will likely not be available until it's taught again, probably post January :-/


But I would like to get your opinions and feedback on another matter. If you would kindly direct your attention to the pi at the bottom of the above linked page and click on it? ;)


This is a map of internal aspects of the class covered on day 1. Someday we would like to host zoomable maps, ala the khan academy's knowledge map (http://www.khanacademy.org/exercisedashboard), but that's not going to happen until we get some volunteers who know javascript.


A couple very interesting things come out of this map. The first has to do with understanding what the least effort paths to an answer to a question are. My discussion is specifically referencing the "General Approach & Questions to Ask When Analyzing a Function" tree. Matt talked a little bit about the general things a reverse engineer should be on the lookout for when analyzing a function. Xeno then added a few more questions. But clearly there are many more "general" questions which can be asked which pertain to specific goals for RE. E.g. someone analyzing code for exploitable conditions can ask whether the node in the CFG where a crash occurs is manipulating user-controlled inputs. Or someone trying bypass a license number input might ask "where is the license number input?" ;)


So the first question I would like to ask people is, what other general questions do you think a RE should ask when approaching software? (Ideally these questions are not x86 specific.) Once we have this sort of feedback, we will make sure that the next time this class is taught, we explicitly call out and speak directly to methodologies to use static analysis to answer those questions on x86 Windows code. And we will answer with an eye toward the questions that are not better answered with dynamic analysis. And we will provide some notional guidance for what can be inferred based on the answers to these questions. This was sort of one of the vague goals of the class, but it wasn't crisp until after we made this graph after the class.


The second interesting thing about that questions tree is how it teases out the relationship between static and dynamic analysis. There are some questions that can be answered by both and some that can be answered only by one. So with this map in hand, we're going to make sure our dynamic analysis class in the fall explicitly tries to answer as many questions as possible. All the more reason to submit questions for consideration now.


And the 3rd interesting thing about making knowledge maps is how it can allow for semi-objective comparison between classes. The first order comparison metric is the simple "Class A covers 80% of the knowledge map, and (free) class B covers 65% (so is it really worth taking class A?)" ;) This is why part of the value of OST is getting instructors to up their game and keep branching out to new areas, rather than just teaching really basic intro material. But breadth is only the first metric of comparison. You would like to be able to use depth next. So "Class A covers topic 1 just in slides for 10 minutes with 10 slides, and Class B has 10 slides and a 20 minute lab" While slide counts and lab time may only give a fuzzy sense of depth, it certainly speaks to potential for student absorption. The last, and most subjective metric we might like to layer on top of a knowledge graph is the notion of whether a given topic is paired with a "good" exercise to facilitate its absorption (which is the hallmark of more mature classes). As just mentioned, more lab time can be good to help students absorb the material, but this is because they are forced to reuse the commands that they maybe just learned about in slides. So alternatively the use of training games (like we're trying to develop for the r0x0r arcade, http://code.google.com/p/roxor-arcade/) can be used to reinforce specific topics.


So those are just some thoughts and questions to you the community. Thanks for reading, and let us know your feedback on the knowledge map for day 1 of this class.


The OpenSecurityTraining Team

No posts found under this topic.
Note: Registration is required to post to the forums.

There are 31,320 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit