Despite the increasing awareness and money behind improving application security it is still possible to find zero-day vulnerabilities in production software using simple fuzzers. The last couple of years have seen numerous companies launch bug bounty programs in an attempt to crowd-source a solution to this problem. Whether you're a member of a development team looking to fuzz your software before release or a researcher looking to find vulnerabilities to score some bug bounty prizes, Fuzzing For Vulnerabilities will get you started developing fuzzers and running them against target software.
Students start the course by learning fuzzing fundamentals. We find it's best if everyone understands all the parts to a successful and scaleable fuzzing framework. Once all of those parts have been discussed and setup, the students will write their first fuzzer (dumbfuzz). Students will then run the framework they've setup and their new fuzzer against the target application to find vulnerabilities. All this on the first day.
Day 2 picks up where we left off and continues to build upon whats already been taught as we dive into format-aware (smart) fuzzers. The remainder of day 2 is where we cover a number of advanced topics to get students on the path to mastery. We will discuss AddressSanitizer; how it works, how it can help find additional vulnerabilities, and how to set it up. We also cover a number of other topics including: code coverage, corpus distillation, in-memory fuzzing, and differential fuzzing. Finally we will discuss crash analysis to automate analysis for thousands of crashes to determine unique vulnerabilities.
- Fuzzing Overview – An introduction to the fundamental techniques of fuzzing including mutation-based and generative-based fuzzers, and covers the basics of target instrumentation.
- Dumb Fuzzing – An overview of the benefits and drawbacks of generic fuzzers which have little to no insight into the format of the data being fuzzed
- Smart Fuzzing – An in-depth discussion of specialized mutation-based and generative-based fuzzers, choosing fuzzed values to increase the likelihood of a crash, and using protocol specifications as a guide to develop a fuzzer.
- Advanced Techniques – Covers advanced techniques to increase fuzzer efficiency and effectiveness. Topics include: using AddressSanitizer to enhance vulnerability detection, collecting code coverage statistics, corpus distillation, in-memory fuzzing, differential fuzzing, and introduces whitebox fuzzing (input generation).
- Crash Analysis – Discussion of tools and methods that aid in analyzing large numbers of crashes to determine uniqueness and give a hint at the severity.
Anyone who is looking to learn more about fuzzing. This course starts with beginner level concepts to get everyone up to speed and then delves into how to write custom fuzzers and more advanced topics.
Students should bring a laptop with a 64-bit processor and operating system and at least 4Gb of RAM. The provided virtual machine is 64-bit Ubuntu 16.04 and will not run on 32-bit host machines.
In addition to the training manual and exercise booklet, students will receive an Ubuntu 16.04 virtual machine loaded with all the course exercise material including solutions to all of the exercises.