The ARM family of processors continue to grow in relevance, popularity, and performance. Once considered a bit of a niche, ARM now powers everything from cheap embedded devices to high-end smartphones, laptops, and even some servers. The utility of learning ARM related skills has never been higher.
This accelerated course will familiarize students with the fundamentals of binary exploitation as they manifest on the ARM architecture. By focusing on the relevant distinctions between ARM and other architectures, our course facilitates rapid skill-transfer, allowing students to apply their existing vulnerability research skillsets to ARM-based systems.
Students will walk away from this course with the foundation needed to confidently perform vulnerability research against ARM based binaries.
Professional-tier users are eligible to redeem a professional RET2 WarGames certificate of training upon adequate completion of this course. For more info, please refer to the certificate info page.
Please note, this course is intended for individuals who already possess some experience with binary exploitation concepts, or those with a strong background in low-level ARM concepts, but little security experience.
If you are looking for a course focused on teaching exploitation concepts from the ground up, please consider our Fundamentals of Software Exploitation courseware.
Before diving headfirst into exploitation, it is important to be comfortable reading, navigating, and understanding ARM assembly code.
This chapter will highlight major differences between x86-64 and ARM architectures while providing a series of increasingly difficult challenges that highlight those differences.
Memory corruption will often cause a program to misbehave or crash, but with clever manipulation, it can be used to hijack program control flow.
This chapter will explain "classic" memory-corruption concepts, specifically in the context of binary exploitation on ARM. We will explore how the stack is managed and how simple buffer overflows can be used to hijack program control flow.
Shellcoding is the practice of crafting small pieces of "malicious" assembly-code that can be injected into a running program by an exploit.
This chapter will teach you about writing shellcode payloads for ARM and the unique constraints involved that may not exist on x86-64, such as instruction alignment.
Data Execution Prevention, known as the "Execute Never" (XN) bit on ARM, was designed to disarm code injection techniques (such as shellcoding) by ensuring that memory marked as "data" could not be executed by the CPU.
In this chapter, we walk through Return Oriented Programming (ROP) techniques as they exist on ARM. This includes a review of traditional ROP techniques such as stack-pivoting, as well as techniques that are much more common on ARM, such as COP & JOP.
While this course focuses on 32-bit ARM (armv7), the 64-bit variant architecture (aarch64) is dominant in most higher-end ARM devices. This chapter will introduce the fundamentals of ARM64, highlighting the major changes from its 32-bit predecessor. Fortunately, despite technically being a fully new architecture, aarch64 feels similar to work with.
This chapter will explore the new instruction set, calling convention, and the new exploit mitigations introduced in aarch64.
Before diving headfirst into exploitation, it is important to be comfortable reading, navigating, and understanding ARM assembly code.
This chapter will highlight major differences between x86-64 and ARM architectures while providing a series of increasingly difficult challenges that highlight those differences.
Memory corruption will often cause a program to misbehave or crash, but with clever manipulation, it can be used to hijack program control flow.
This chapter will explain "classic" memory-corruption concepts, specifically in the context of binary exploitation on ARM. We will explore how the stack is managed and how simple buffer overflows can be used to hijack program control flow.
Shellcoding is the practice of crafting small pieces of "malicious" assembly-code that can be injected into a running program by an exploit.
This chapter will teach you about writing shellcode payloads for ARM and the unique constraints involved that may not exist on x86-64, such as instruction alignment.
Data Execution Prevention, known as the "Execute Never" (XN) bit on ARM, was designed to disarm code injection techniques (such as shellcoding) by ensuring that memory marked as "data" could not be executed by the CPU.
In this chapter, we walk through Return Oriented Programming (ROP) techniques as they exist on ARM. This includes a review of traditional ROP techniques such as stack-pivoting, as well as techniques that are much more common on ARM, such as COP & JOP.
While this course focuses on 32-bit ARM (armv7), the 64-bit variant architecture (aarch64) is dominant in most higher-end ARM devices. This chapter will introduce the fundamentals of ARM64, highlighting the major changes from its 32-bit predecessor. Fortunately, despite technically being a fully new architecture, aarch64 feels similar to work with.
This chapter will explore the new instruction set, calling convention, and the new exploit mitigations introduced in aarch64.