Explore the intricacies of zero-day exploit development in this 57-minute conference talk from the 35th Chaos Communication Congress (35C3). Demystify the exploit development lifecycle, gaining insight into the engineering process behind a zero-day exploit used against Apple Safari at PWN2OWN 2018. Learn about the analytical approach employed to attack unfamiliar software targets, contrast this process with CTF/Wargame challenges, and discover the path from casual enthusiast to security professional. Delve into topics such as bug hunting, source code review, common misconceptions about browser exploits, and the responsibilities of security researchers. Gain a comprehensive understanding of the challenges and methodologies involved in this increasingly difficult tradecraft, presented by experts Markus Gaasedelen and Amy (itszn).
Overview
Syllabus
Introduction
Welcome
Agenda
Rondon 2018
The Odds
How Long
No Upper Bound
Google Everything
Scope
Bad Components
Bug Hunting
Final Coverage
Source Review
Misconceptions
Misconception
Easytofind bugs
Browser exploits
CTFs
Ride the exploit development roller coaster
Responsibilities
Taught by
media.ccc.de
