SEC661: ARM Exploit Development

  • Online
12 CPEs

SEC661 is designed to break down the complexity of exploit development and the difficulties with analyzing software that runs on IoT devices. Students will learn how to interact with software running in ARM environments and write custom exploits against known IoT vulnerabilities.

Course Authors:

What You Will Learn

The Internet of Things (IoT) has taken over. Everywhere we look we see more systems coming online, from routers to refrigerators. But as these systems become more and more integrated into our home and business networks, how does their security posture keep up with their increasing popularity? The Advanced Reduced instruction set computing Machines architecture (ARM) introduced a new family of computer processors that provide a robust platform that is ideal for running a wide variety of small, specialized systems.

Unfortunately, the rapid expansion of new devices coming to market, along with accelerated development lifecycles, mean that security is often an afterthought. The security posture of many IoT devices is further restricted due to hardware limitations and the need to maintain low production costs.

Now more than ever, there is a demand for highly skilled security professionals who understand IoT vulnerabilities and ARM exploitation. However, the complexity of exploit development and the difficulty of acquiring and analyzing the software that runs on IoT systems can create intimidating barriers to those wanting to enter this field.

SEC661: ARM Exploit Development is designed to break down those barriers. It has been built from the ground up to give students a solid foundation in exploit development on the ARM platform. The course starts by going over the fundamentals of the architecture and some basic ARM assembly. Initial emphasis is placed on key data structures and how they work together so that students gain a better understanding of why certain vulnerabilities occur.

Students are provided with the tools they need to set up and work in an ARM environment. From there, we go through several hands-on labs that explore memory corruption vulnerabilities and show how to craft custom input in order to gain control of execution. We will also cover common exploit mitigations and techniques for bypassing them. Finally, students will demonstrate their understanding of the core concepts taught in this highly technical course by crafting their own exploits against two emulated ARM routers.

You will learn:

  • Techniques for running ARM in an emulated environment
  • The fundamentals of ARM assembly
  • How to write ARM exploits to leverage stack-based buffer overflows
  • Exploit mitigations and common workarounds
  • How to work with ARM shellcode
  • Return Oriented Programming (ROP)
  • How to exploit IoT devices in ARM
  • 64-bit ARM exploit development

Syllabus (12 CPEs)

Download PDF
  • Overview

    Section one kicks off with an overview of ARM and how it differentiates itself from other architectures. Next, we dive into some common ARM assembly instructions and show how they interact with the system. With emulation, we are able to work directly in an environment where we can debug ARM programs and step through them one instruction at a time. We take an in-depth look at the stack and how it can be abused by vulnerabilities that allow an attacker to gain control of execution. We build upon this knowledge by writing our own ARM exploits for a couple of different scenarios. We close out section one by looking at different types of exploit mitigations and how they have changed the game for attackers.

    • Working with ARM (Tools and Techniques)
    • Debugging ARM
    • Branching
    • Exploiting Stack Overflows
    • Overview of the ARM architecture and how it affects us as both consumers and security professionals
    • Cross-compiling ARM binaries and how the different steps of the build process are relevant to exploit development
    • Format and common patterns in ARM assembly
    • Tools and techniques for emulating ARM
    • ARM analysis and debugging
    • The Stack and how this important data structure is used and abused by exploit developers
    • Stack Overflows, leveraging stack-based memory corruption in order to gain control of execution
    • Exploit Mitigations and how they can be bypassed
  • Overview

    We begin section two by looking at some ARM shellcode under the hood. We go over bad characters and different scenarios that might require modifying and reassembling shellcode. From there, we shift our focus to the Internet of Things (IoT) and start by extracting some firmware. We then analyze a Netgear exploit that was recently disclosed in 2020. Return-Oriented Programming (ROP) is covered in detail and we show how to find gadgets and build custom ROP chains. We then examine how this type of exploit can be used against an emulated Dlink router. Finally, we go over the differences between 32-bit and 64-bit ARM, stepping through some 64-bit ARM shellcode and using it to exploit a buffer overflow.

    • Shellcode
    • Firmware Extraction
    • Netgear Exploit
    • ROP
    • Dlink Exploit
    • 64-bit ARM
    • How shellcode works and how to modify it for custom exploits
    • Common techniques for acquiring and analyzing firmware images
    • In-depth analysis of a real world IoT exploit against Netgear devices
    • How Return-Oriented Programming works, searching for gadgets and creating custom ROP chains
    • In-depth breakdown of a vulnerability and exploit used to attack an emulated Dlink router.
    • Similarities and differences of 64-bit ARM and leveraging what we've learned on this platform


  • Familiarity with some type of assembly language is recommended. We will cover some of the basics in class, but any assembly experience would be a great head start.
  • Working knowledge of the C programming language
  • Familiarity with the Linux operating system, including navigating the file system and running basic commands, as well as using a console-based editor such as vim or nano.
  • Ability to edit and run basic Python scripts

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.


  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 100GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.


  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact

Author Statement

"If you have been looking to get into exploit development or are looking to grow and solidify your skills, this course was designed for you. ARM is taking the world by storm. With billions of new devices being introduced each year, understanding the fundamentals of security vulnerabilities in ARM and how they can be exploited is a valuable skill that will continue to be in high demand for years to come. My goal in writing this course is to ignite the passion within you and equip you with the skills you need to take you to the next level." - John deGruyter


The labs take away so many headaches & time it would take to build this kind of setup. The course provides the right curated information, techniques, methods, & tools to get you to the root shell.
GT Kruse
Wood Consulting Services, Inc.
The course brings you up to date to ARM assembly, 0 to hero.
Dan-Alexandru Marin
Ah, to be able to understand how it works... What I like most is the straight to the point aspect of the course. General basics -> debugging -> exploiting -> ROP on emulated router.
Sébastien de Tillesse

    Register for SEC661