Breaking things at Google's init.g Security Workshop

A great learning experience at Google London

November 5, 2019

Over the past weekend I was fortunate enough to attend init.g, an invite-only three-day cyber security workshop by Google for students from Europe, the Middle East and Africa, hosted in their London King’s Cross office.

Out of the 40 attendees, I was the only one traveling from South Africa, but I quickly met some fantastic folks and Google employees that made the workshop a blast!

Posting with some cool post-it note art

We started the first day with a workshop on binary vulnerabilities, where we exploited buffer and stack overflows to do some magic like obtain root shells! (Un)fortunately, these attack vectors aren’t so easy to find and exploit these days, so we looked into using more modern attacks such as return-to-libc, as well as modern defences.

Day two involved a workshop on fuzzing, going over its history and playing with some early examples, and then writing some code that used libFuzzer to throw random data at programs to try and get them to exhibit some interesting behaviour (read: crashes!). Incredibly, it’s relatively easy to write a fuzzer to catch the Heartbleed bug, asserting the significance of fuzzing. As we were at Google, it was obligatory to speak about the VRP rewards on offer for finding vulnerabilities, and how fuzzing ties in nicely with the search.

We then had an additional workshop on Android application hacking, which involved interacting with Android devices via ADB, decompiling and disassembling APKs, and then reverse-engineering disassembled code to find some flags!

CTF finals The Google CTF finals taking place

The init.g event was held at the same time as the onsite final round of the Google CTF, so we had the chance to watch some of the best teams in the world compete for big prizes and attend their awards ceremony. We were also able to try and defuse a fake bomb from the “Having a Blast” hardware CTF challenge—it blew up, sadly, but at least we live to tell the tale!

Other highlights include presentations from top bughunters that had taken part in the Vulnerability Reward Program, where they explained how some of their discoveries were made; we also got to do mock interviews with Google engineers where we worked on preparing for the real deal. I also had the chance to spend a bit of time with LiveOverflow and John Hammond, two YouTubers with a focus on information security and breaking things that I have a great deal of respect for—kudos!

The opportunity to attend these workshops and improve my skills was invaluable, and I was fortunate to meet some incredibly talented engineers and fellow attendees, and engage in many meaningful and thought-provoking discussions. I can’t thank the organisers enough for the experience!

Some amazing office views Some non-so-normal office views

CTF awards ceremony Google CTF Awards Ceremony

Office art Very creative Post-it Note office art

Badge Obligatory badge pic

comments powered by Disqus