Effective Fuzzing:
Using the Peach Fuzzing Platform

Overview

Fuzzing is the technique of finding flaws and vulnerabilities in solutions through data mutation. It is a preferred way for attackers to discover vulnerabilities in systems. The Peach Fuzzer is the most innovative generational and mutation fuzzing framework. From inception, Peach was designed to find security vulnerabilities. It has already been adopted by many organizations as their standard fuzz testing platform.

The course is designed to be student-centric, hands-on, and lab intensive. On day one, students will be introduced to the Peach Fuzzing Platform from a practitioner's perspective. They will learn how to use Peach to fuzz a variety of targets including network protocol parsers, ActiveX/COM interfaces, file parsers, APIs, and web services. Students will learn new techniques to discover security flaws using fuzzing in applications, like N-tier applications, which were previously thought to be unsuitable for fuzzing.

On the second day, students will be exposed to the internals of Peach for a developer's perspective. The Peach architecture and module interfaces will be explained in detail. This will equip students with the skills necessary to extend and adapt Peach to their unique needs. In a lab exercise, students will develop their own Peach extensions to reinforce these concepts.

Upon completion of this course, students will be enabled to create effective fuzzers that target:

• State-aware network protocol parsers
• N-tier applications
• Arbitrary APIs
• File parsers
• COM and Active/X components
• Detect non-classic faults in software
• Extend the Peach Fuzzing Platform by creating custom Transformers, Generators, Publishers, and Monitors.
• Apply these concepts and tools to their unique environment
• Utilize parallel fuzzing to increase fuzzing efficiency

What to bring

Ability to read/write basic XML Proficient in Python a bonus

Laptop capable of running 2 vmware images at once, minimum 20 GB free disk, 1GB RAM (2GB RAM recommended), DVD reader, Ethernet jack VMWare Player (free)

Trainers

Michael Eddington is the Chief Technical Officer at Déjà vu Security LLC and its Principal Consultant. He has over ten years of experience in providing security services to Fortune 500 companies in the US. Michael is a recognized thought leader in the fields of application security, network security, threat modeling, and fuzz testing. He routinely speaks and provides training at the top security conferences including Blackhat, CanSecWest and RSA.

Michael is a passionate leader in the open-source security development community, contributing to projects including Trike (Threat Modeling), Outlook Privacy plug-in, and Peach Fuzz. Michael is the creator of the widely used Peach Fuzzing framework which is used by many top technology companies to find complex security vulnerabilities. His current research efforts are pushing security vulnerability testing and fuzzing to the next level with innovative tools and techniques.

Adam Cecchetti is the Chief Research Officer at Déjà vu Security. He specializes in application and hardware penetration testing. Adam has over 10 years of professional penetration testing experience and is a contributing author to multiple security books, benchmarks, tools, and research projects.

Adam holds a master's degree from Carnegie Mellon University in Electrical and Computer Engineering. He has been leading application penetration tests, hardware reverse engineering, code and design reviews for the Fortune 500 for the last decade. Adam's research is currently heavily focused on hardware fuzzing and automated exploitation analysis.