Establishing a Base for Digging Deeper into Host-based Security on Intel-based Systems

November 27, 2012
Cyber Training: Post by Xeno Kovah

This is the first in a series of posts that will describe our drive to release internally developed computer security training classes that originated at MITRE.

In this post, the editor shares an interview with Xeno Kovah about his two-day training class, Introductory Intel x86: Assembly, Architecture, and Applications, released to the Open Training community.

Editor: What topics do you cover in your class?

Xeno Kovah: It covers understanding the most common Intel CPU assembly instructions, and the "stack," the most commonly used data structure. This is done by showing the correspondence among simple programs, which are only a few lines of C code long, and the assembly generated by the compiler. While there are many special purpose instructions in Intel CPUs, it turns out that only about 20 instructions comprise the majority of code a person will typically see.

For the deep technical audience:

If you visit the training page, and scroll all the way to the bottom and click on the pi symbol (a reference to the movie The Net ;)), you will see a work-in-progress map of the nitty-gritty details of what is covered in the class. It's not highlighted yet because I want to make sure that when you click on the topics, you go to the portion of the class video that talks about it.

[Ed.]: Why do you think it's important that people know the information you're teaching?

[XK]: One of the most important reasons is because there are a lot of people who know network security, but not enough who know host security. When you treat hosts as black boxes, that's an awful lot of capability and complexity hidden from your view. This class is integral for digging deeper into host-based security on any system that uses an Intel processor.

Another reason for knowing this material is that it's a prerequisite for classes on a number of specialized, high-demand job fields.

[Ed.]: What security jobs can make use of your training?

[XK]: Knowledge of assembly is critical for malware analysts, because there is often a lot of malware capability that cannot be seen just by executing a sample in a test lab. Malware analysts therefore need to be able to read the instructions and infer what capabilities the code has that they haven't seen exercised.

Software developers can also use this knowledge in a number of ways. The first is that it can be used to hand-optimize some particular piece of code. The second is that when debugging your own code, it can sometimes be helpful to look at your code in assembly language to pinpoint the source of a problem. This is especially important when developing low-level code for the kernel or an embedded system. The second way a developer can use this knowledge is as a pre-requisite for the Introduction to Software Exploits class in this series. Taking that class helps teach developers which mistakes to avoid, and how attackers will take advantage of the mistakes if they don't follow safe coding practices.

This knowledge is also useful for jobs where you need to write code to exploit program vulnerabilities. This can include penetration testers and similar types of cyber operators. I would also note that NSA recently announced a new type of center around academic excellence: a Center for Academic Excellence in Cyber Operations. If you look at the specific types of knowledge that the NSA wants students to receive, it includes Low Level Programming Languages, which is where this class definitely falls.

[Ed.]: How does this class relate to your work at MITRE?

[XK]: I have used assembly extensively in my work at MITRE. I have spent a number of years working on Windows kernel development for a security project called Checkmate. Checkmate needs a sizable amount of hand-coded assembly to achieve its security goals, and I've had many, many opportunities to debug this assembly. ;) But the assembly knowledge was equally useful when attempting to understand how elements of the Windows kernel work at a low level.

[Ed.]: Does your class fit into a larger training curriculum?

[XK]: Yes. As mentioned, this class serves as a prerequisite for multiple other training paths on things like malware, exploits, or trusted computing. There are course maps on the training page (bottom) of other classes that use this knowledge.

[Ed.]: What made you want to make this class publicly available?

[XK]: Assembly language knowledge is seen by most as a fairly rarified skill. But I don't think it should be that way. There are plenty of other people out there who know and use assembly. Therefore I wanted to make a full class available so that others who know assembly could use it to teach the topic in their own venues. In this way we can spread the knowledge more quickly.

I then wanted to release videos from the classes that have already been taught at MITRE, so that if my materials were not clear, other instructors could consult the videos and understand what I was going for within a given section. Releasing the videos has the side benefit videos of enabling additional students to watch the lesson when in-class training in unavailable (which I always think is more helpful and recommend if available).

[Ed.]: Do you have any future follow-up classes planned?

[XK]: Right now I'm mostly focused on improving my existing four classes. This class focuses on 32-bit assembly. Right now I'm updating it to focus on 64-bit assembly, which is becoming more common as people switch to 64-bit desktop OSes. I'm also trying to make this class have more hands-on time, by incorporating a new system of games, which will reinforce the knowledge from the class and give the student immediate feedback. Importantly, the game rounds/questions are randomized to allow infinite replay, either in class or months after class as a refresher. Once I'm done updating my existing courses, I hope to teach a new class on Intel's Trusted Execution Technology (TXT).

[Ed.]: Thank you, Xeno. We will look forward to future updates.