Fuzzing is the technique of finding flaws and vulnerabilities in solutions through the mutation of data. This technique is a preferred way of both defenders and attackers to discover vulnerabilities in a system. The Peach Fuzzing Framework is the most widely used fuzzing system. Researchers, corporations, and governments use Peach to find vulnerabilities in systems. Peach was designed to fuzz any type of data consumer from servers to embedded systems. Peach is a cross platform system running on Windows, Linux, and OS X.
This class will focus on the latest release of Peach 3 and is taught by Michael Eddington the creator of Peach.
You will learn to create both dumb and smart fuzzers and apply these concepts and tools to their unique environment. The course is designed to be student-centric, hands-on, and lab intensive. On day one the Peach Fuzzing Framework is introduced from a practitioner's perspective. You will learn how to use Peach to fuzz a variety of targets including network clients & servers, file consumers, and API interfaces such as COM. On the second day you will develop and run fuzzers against different targets mutating data and collecting crashes.
Upon completion of the course and labs you will be able to:
• Understand the core concepts of fuzzing
• Use Peach to create dumb fuzzers
• Use Peach to create smart fuzzers
• Target Peach to fuzz a variety of different data consumers
• File consumers such as web browsers
• Network clients and servers
• API based targets such as COM
• Penetration testers
• Ability to read/write basic XML
• Basic usage of Wireshark
• Reading specifications written in English (RFCs, etc.)
• Coding experience a plus but not required
Students must provide a modern laptop (dual core minimum) with a minimum of 2GB RAM and 30GB free disk with vmware player (or similar) pre-installed.
Printed slide book, printed lab guide, USB memory stick with VMware images.
Michael Eddington is the Chief Technical Officer at Déjà vu Security LLC and its Principal Consultant. He has over ten years of experience in providing security services to Fortune 500 companies in the US. Michael is a recognized thought leader in the fields of application security, network security, threat modeling, and fuzz testing. He routinely speaks and provides training at the top security conferences including Black Hat, CanSecWest and RSA. Michael is a passionate leader in the open-source security development community, contributing to projects including Trike (Threat Modeling), Outlook Privacy plug-in, and Peach Fuzz. Michael is the creator of the widely used Peach Fuzzing framework which is used by many top technology companies to find complex security vulnerabilities. His current research efforts are pushing security vulnerability testing and fuzzing to the next level with innovative tools and techniques.