Becoming a Vulnerability Researcher roadmap: my personal experience

VR_roadmap.md

Index

• #prepreqs

• #roadmap

  • #iot
  • #v8

• #notes

---

preprequisites

• CTFs (binary and reverse)

  • pwn.college
  • Course materials for Modern Binary Exploitation by RPISEC
  • wiki
  • Handbook for CTFers by Nu1L Team

• CTF tools and writeups

  • https://github.com/zardus/ctf-tools
  • https://github.com/pwndbg/pwndbg
  • https://github.com/hugsy/gef
  • https://github.com/david942j/one_gadget
  • https://github.com/niklasb/libc-database
  • https://github.com/jakespringer/angr_ctf
  • https://github.com/perfectblue/ctf-writeups
  • https://github.com/balsn/ctf_writeup
  • https://github.com/str8outtaheap/heapwn (outdated)
  • https://github.com/david942j/ctf-writeups (outdated)
  • https://github.com/scwuaptx/CTF (outdated)
  • https://blog.dragonsector.pl/ (outdated)
  • https://github.com/OpenToAllCTF
  • Understanding glibc malloc
  • how2heap
  • dhavalkapil's Heap Exploitation short book
  • House of Orange and FSOP - angelboy blog
  • ptmalloc fanzine
  • it's a bird, it's a plane, it's ptr-yudai's blog :)

• Books, tutorials:

  • Learn C :) C Programming Language, 2nd Edition
  • The Shellcoder's Handbook: Discovering and Exploiting Security Holes 2nd Edition (outdated)
  • Hacking: The Art of Exploitation, 2nd Edition
  • Learn intel assembly :) Programming from the Ground Up by Jonathan Bartlett
  • Learn what is ELF, the linker and loader Linker and Libraries Guide - oracle
  • The Legend of R4ndom Tutorials
  • Modern Windows Exploit Development by mtomassoli (outdated)
  • Reversing: Secrets of Reverse Engineering 1st Edition
  • Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation
  • Phrack articles
  • 0x00sec.org/u/_py

• Mentality: You challenge yourself, (the more difficult, the better), you have passion, you are persistent, and you understand that failure is part of growing

  • First 20 minutes of this talk explains what it means, i think, Attacking Chrome IPC: Reliably finding bugs to escape the Chrome sandbox
  • The other side of the coin: Keep your brain and body healthy by sleeping, exercising, meditating, and taking vitamin D. If you don't, you might stress your brain to the point that, if you're genetically predisposed, you might win some kind of disease
  • Save bookmarks for anything you wish to learn in the future, and keep notes on things you have already studied
  • Learning How to Learn: Powerful mental tools to help you master tough subjects
  • The Process of Mastering a Skill
  • The Importance of Deep Work & The 30-Hour Method for Learning a New Skill
  • Paradox of Choice | Azeria Labs
  • @netspooky's List of healthy reminders

---

roadmap

In order:

• Vulns1001 OST2 course

  • You will learn something about code auditing
  • AOSS book
  • TLPI book
  • Teaching and Learning Software Analysis via SVF
  • Variant analysis and taint analysis: codeQL, coccinelle, semgrep, joern, weggli

• Do code auditing by your own, select a project, read docs, etc.

  • use a code navigator (for example vim + cscope https://cscope.sourceforge.net/)
  • increase the difficulty

• The XY-Z method:

  • You read a blog that talks about X by doing Y, but you can't understand its content
  • Then you learn X so you can replicate Y, and then you add Z which wasn't done before, even if it's a small change
  • pros: it boosts your confidence, you will remember the subjects stuided more easily by practicing than just by studying the theory

• The XZ-Y method:

  • You read only the abstract of a blog that talks about X by doing Y
  • Then you learn X, then you do Z, which is how you would have resolved Y without knowing how the author implemented it. Finally, you compare your results with the author's.
  • pros: same as above + you learn how to think like a researcher
  • cons: difficult maybe

• Ideally, you should first follow the XY-Z method, and then the XZ-Y method

• fuzzing open source projects tutorial

  • Roadmap to learn fuzzing
  • https://github.com/u1f383/fuzzing-learning-in-30-days

• Follow the same path you have followed for the code auditing tasks, but this time, do fuzzing

• Vulns1002 OST2 course

  • do the labs by following the XZ-Y method

• Work in progress...

IoT

• IoT VR roadmap (hardware hacking excluded)
  • binary analysis (binary lifting, binary rewriting, binary diffing, CFG, Data analysis, etc.)
  • string analysis (string distribution)
  • cross compilation == pain
  • binary code scanners (cwe_checker, emba, etc.)
  • Practical Binary Analysis book
  • Learning Linux Binary Analysis 1st Edition, Kindle Edition
  • Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation 1st Edition
  • simple dynamic binary instrumentation with PythonGdb, 1, 2, 3, 4, 5, 6, 7

V8

• Basics of v8, setting up debug env and reproducing CVE, https://www.matteomalvica.com/blog/2024/06/05/intro-v8-exploitation-maglev/

---

Notes

• this is just my personal experience and should not reflect yours, so forgive me if I have skipped some important reference material 🤝
• I don't feel confident enough to link material about the V8 engine. However, I'll include the links you suggest and write a blog post discussing them 📡

May want to add these articles in the Mindset part:

1. https://azeria-labs.com/the-process-of-mastering-a-skill/
2. https://azeria-labs.com/the-importance-of-deep-work-the-30-hour-method-for-learning-a-new-skill/
3. https://azeria-labs.com/paradox-of-choice/

Sure, thanks!

Basics of v8, setting up debug env and reproducing CVE
https://www.matteomalvica.com/blog/2024/06/05/intro-v8-exploitation-maglev/

Basics of v8, setting up debug env and reproducing CVE https://www.matteomalvica.com/blog/2024/06/05/intro-v8-exploitation-maglev/

Done, thanks!