Advanced technical training for security researchers, incident response handlers and exploit developers. Our hands-on workshops give your staff the skills to understand how modern attacks are developed and performed.
Our trainings are scheduled once enough people have indicated their interest in taking one. Fill out the form below if you are interested in taking a training offered by Trail of Bits.
|Available Trainings||Course Length||Register|
|Windows Browser Exploitation ("Assured Exploitation")||2, 3 or 5 days||Waiting List|
|Full-Spectrum Capture the Flag||3 or 5 days||Waiting List|
|Ruby Security||1 or 2 days||Waiting List|
If you would like to schedule a private training for your company or have any questions about the courses, please contact firstname.lastname@example.org. Receive announcements about our upcoming trainings by subscribing to our announcement list. If you would like to request help from your company to attend a training, we can help you get started.
Many security professionals have experience with stack overflows and heap spraying, but these techniques are rarely sufficient when applied to modern systems. Reliable exploitation on Vista and Windows 7 systems requires advanced techniques such as heap layout manipulation, return oriented programming and ASLR information leaks. This two-day intensive course focuses on teaching the principles behind these advanced techniques and will give the students hands-on experience with real-world exploits.
CTF competitions try to distill the essence of many aspects of professional computer security work into a single short exercise that is objectively measurable. The focus areas that CTF competitions tend to measure are vulnerability discovery, exploit creation, toolkit creation, and operational tradecraft. Modern computer security professional should be an expert in at least one of these areas and ideally in all of them. Therefore, preparing for and competing in CTF represents a way to efficiently merge discrete disciplines in computer science into a focus on computer security.
In the last year, many new vulnerabilities and vulnerability classes have been discovered in Ruby applications. These vulnerabilities make use of features specific to the Ruby language and common idioms present in large Ruby projects, such as serialization and deserialization of data in the YAML format. As these vulnerability classes were initially discovered in popular and well-studied open source software, it’s extremely likely that they occur in applications throughout the Ruby ecosystem. These applications frequently represent lucrative targets for attackers, and with the appearance of new and easily exploitable bug classes, the potential for targeted and mass exploitation of Ruby programs has been demonstrated to the world. In this training, we aim to bridge a knowledge and skills gap by bringing information about these new vulnerability classes to software developers.
This training will cover the recent Ruby on Rails vulnerabilities classes, their root causes, and include demonstrations and exercises where students develop exploits for real-world vulnerabilities. Students will learn the patterns behind the vulnerabilities and develop software engineering strategies to avoid introducing vulnerabilities of this type into their projects.