Fuzzing For Vulnerabilities

Chris Bisnett | July 22-23 & July 24-25



Overview

Despite the increasing awareness and money behind improving application security it is still possible to find zero-day vulnerabilities in production software using simple fuzzers. The last couple of years have seen numerous companies launch bug bounty programs in an attempt to crowd-source a solution to this problem. Whether you're a member of a development team looking to fuzz your software before release or a researcher looking to find vulnerabilities to score some bug bounty prizes, Fuzzing For Vulnerabilities will get you started developing fuzzers and running them against target software.

Course Schedule:

Day 1
Students start the course by learning fuzzing fundamentals. We find it's best if everyone understands all the parts to a successful and scaleable fuzzing framework. Once all of those parts have been discussed and setup, the students will write their first fuzzer (dumbfuzz). Students will then run the framework they've setup and their new fuzzer against the target application to find vulnerabilities. All this on the first day.

Day 2
Day 2 picks up where we left off and continues to build upon whats already been taught as we dive into format-aware (smart) fuzzers. The remainder of day 2 is where we cover a number of advanced topics to get students on the path to mastery. We will discuss AddressSanitizer; how it works, how it can help find additional vulnerabilities, and how to set it up. We also cover a number of other topics including: code coverage, corpus distillation, in-memory fuzzing, and differential fuzzing. Finally we will discuss crash analysis to automate analysis for thousands of crashes to determine unique vulnerabilities.

Topics:

  • Fuzzing Overview – An introduction to the fundamental techniques of fuzzing including mutation-based and generative-based fuzzers, and covers the basics of target instrumentation.

  • Dumb Fuzzing – An overview of the benefits and drawbacks of generic fuzzers which have little to no insight into the format of the data being fuzzed

  • Smart Fuzzing – An in-depth discussion of specialized mutation-based and generative-based fuzzers, choosing fuzzed values to increase the likelihood of a crash, and using protocol specifications as a guide to develop a fuzzer.

  • Advanced Techniques – Covers advanced techniques to increase fuzzer efficiency and effectiveness. Topics include: using AddressSanitizer to enhance vulnerability detection, collecting code coverage statistics, corpus distillation, in-memory fuzzing, differential fuzzing, and introduces whitebox fuzzing (input generation).

  • Crash Analysis – Discussion of tools and methods that aid in analyzing large numbers of crashes to determine uniqueness and give a hint at the severity.

Who Should Take this Course

Anyone who is looking to learn more about fuzzing. This course starts with beginner level concepts to get everyone up to speed and then delves into how to write custom fuzzers and more advanced topics.

Student Requirements

  • Development experience in Python helpful - All course exercises incorporate custom Python scripts that students will modify. All students will be supplied with solutions, so students with no or limited Python experience can still learn from the course.
  • Basic knowledge of high level data-types such as signed/unsigned integers and pointers.
  • Basic understanding of memory corruption vulnerabilities (stack buffer overflow, heap buffer overflow, etc.)

What Students Should Bring

Students should bring a laptop with a 64-bit processor and operating system and at least 4Gb of RAM. The provided virtual machine is 64-bit Ubuntu 16.04 and will not run on 32-bit host machines.

What Students Will Be Provided With

In addition to the training manual and exercise booklet, students will receive an Ubuntu 16.04 virtual machine loaded with all the course exercise material including solutions to all of the exercises.

Trainers

Chris Bisnett is co-founder and product manager at Huntress Labs, a startup focused on automated breach detection through hunting persistence mechanisms. In the past Chris has worked as a defense contractor for the U.S. government and as a vulnerability analyst at the NSA RedTeam. He has extensive experience reverse engineering proprietary protocols and developing fuzzers. When not working, Chris enjoys participating in hacker capture-the-flag events.

For the past 10 years, Kyle Hanslovan has supported defensive and offensive cyber operations in the U.S. Intelligence Community and currently is the CEO of Huntress Labs. He previously co-founded the defense consulting firm StrategicIO which specializes in developing implants and exploits and won DEF CON 20's CTF competition. Additionally, he serves in the Maryland Air National Guard as a Cyber Warfare Operator. With his strong background in software development, reverse engineering, and malware analysis, Kyle enjoys making life hard for unsophisticated cyber actors.