< NULLCON 2025 - BERLIN />

About The Training

CFP Training Registration Sponsors Venue

GO BACK

Berlin 2025 | Trainings

Jeremy Marchand

Software Security Researcher at Quarkslab

Training Objectives Training Outlines WHAT TO BRING? Training PREREQUISITE WHO SHOULD ATTEND? WHAT TO EXPECT? WHAT ATTENDEES WILL GET? WHAT NOT TO EXPECT? ABOUT THE TRAINER

< Training Title />

Hands-On Binary Fuzzing

< Training Schedule />

Start Date: Sep 01, 2025

End Date: Sep 03, 2025

< Training Objectives />

Fuzzing as a methodology has been an area of interest for generations of security researchers and has proved to be a very effective way to find vulnerabilities. It is today broadly used in various
initiatives like OSS-Fuzz or syzbot helping open-source projects detecting bugs early on.
However, when it comes to auditing closed-source binaries, things are less straightforward. They are interesting targets widely spread on operating systems, smartphones etc. Hopefully, wisely
combining public research projects and homemade tools enable achieving efficient, and close to
source-level performances.
We used to say, “There's nothing like a custom fuzzer for a target”. This training aims at providing
trainee concepts, methods and building blocks to create proper harness and fuzzers to deal with real-life softwares.
Through the use of open-source tools, Triton and TritonDSE the training aims at explaining how one can achieve efficient fuzzing on closed-source targets. Fuzzing research covers a wide range of targets including notably kernel or browser fuzzing. Covering these targets would require a whole training for each of them. Thus, this session focuses on standard userland Linux-based binaries.

< Training Level />

Intermediate

< Training Outlines />

MODULE 1: Introduction to vulnerability research and fuzzing
• Introduction to vulnerability research.
• Reverse engineering.
• Introduction to fuzzing.
• Methodology (target analysis, attack surface).
• Setup harness writing.
• Corpus management.
• Monitoring the fuzzing campaign.
• Crash triaging.
• Common tools.
• Limits: hard to reach / detect bugs, inappropriate targets.
• Memory sanitizers.

MODULE 2: Binary-level fuzzing with emulation
• Introduction to Emulation
• Emulation with QEMU.
• Fuzzing with AFL++/QEMU.
• Emulation with Unicorn, Keystone and Capstone.
• Fuzzing Embedded with AFL++/unicorn.
• Fuzzing with Honggfuzz/unicorn.

MODULE 3: Exploration and vulnerability research with symbolic execution
• Introduction symbolic execution.
• SMT solving concepts and theories (BV, Array).
• Concrete emulation and path exploration with TritonDSE.
• Symbolic Queries.
• Bridging the gap with fuzzers: building a basic in-memory concolic fuzzer.
• Ensemble Fuzzing.

< WHAT TO BRING? />

A linux laptop, with vmware or virtualbox installed and at least 75Gb of disk space available for the training VM

< Training PREREQUISITE />

Basic reverse-engineering skills, (x86-64 binaries will be studied).
Basic skills in Python and C/C++.

< WHO SHOULD ATTEND? />

Reverse engineers, software auditors/testers or any security researcher willing to understand core-concepts of binary fuzzing and applying them on any software

< WHAT TO EXPECT? />

Key Learning Objectives

Giving trainees the methodology, knowledge and means to achieve efficient fuzzing on real-
life software.
Enabling facing challenges that fuzzing raises (exotic targets, no source code, etc.).

< WHAT ATTENDEES WILL GET? />

A VM with all tools installed will be shared prior to the training, the slides will be given to the attendees at the end of the training.

< WHAT NOT TO EXPECT? />

Advanced fuzzing techniques (snapshot fuzzing, differential fuzzing, kernel code fuzzing). Integration of fuzzing in a CI.

< About the Trainer />

Jeremy Marchand is a software security researcher focusing on reverse and fuzzing various type of targets. He works at Quarkslab in the Automated Analysis team.