- FuzzTrain: A Deep Dive Into All The Fuzz
Trainer Name: Mathias Payer & Ahmad Hazimeh
Title: FuzzTrain: A Deep Dive Into All The Fuzz
Duration: 4 Days
Dates: 22nd - 25th March 2021
Time: 2:00 PM to 6:00 PM IST
Delivery Mode: via Zoom.us and Discord Platform
Fuzzing is the key technique to find vulnerabilities in code. While fuzzing has been around for almost 30 years, the last 5 years saw a massive explosion of fuzzers and correspondingly an exponential discovery of vulnerabilities. Fuzzing is now the prime way to find new bugs at all layers of the software stack.
This four day tutorial will teach you how to fuzz. You will learn what fuzzing is, the key concepts, how to increase the yield of bugs, how to best use your available resources, and how to write efficient customized fuzzers. Each day is split into a lecture part where you learn the high level concepts and they and then spend the majority of time exploring these concepts with practical examples.
Day 1: What the Fuzz? Basics!
We will start by talking about general fuzzing techniques and focus on greybox fuzzers that use program instrumentation to learn what functionality was executed. Coverage helps these fuzzers to guide mutation and we will cover basic seed selection strategies along with configuring good fuzzing corpora. In the practical part you will set up your first fuzzing campaigns and fine-tune fuzzers to find your first bugs.
Day 2: How the Fuzz? Sanitization!
Tools like AddressSanitizer detect memory corruption right when it happens, not only when an illegal memory access to an unmapped page causes a segmentation fault. While sanitization has some overhead, they detect more bugs faster. Sanitizers have to be carefully configured. You will learn about the different sanitizers and how to use them best during fuzzing campaigns. During the practical part, you will apply your sanitization knowledge to find even more bugs.
Day 3: Where to Fuzz? Writing fuzzing stubs!
So far we have fuzzed specific target applications. Often, the actual target is some form of library code and it is much more efficient to write customized fuzzers that follow exactly the API you are interested in. In this lesson, we will learn how to create effective fuzzing stubs and then apply them during a practical campaign.
Day 4: All the Fuzz!
We have now covered the three key areas: fuzzing programs, using sanitizers, and customizing fuzzers to specific use cases. All these steps required source code and source is not always available. We will therefore expand our knowledge about binary rewriting for fuzzing and apply several binary rewriters in practice.
- Good Linux system management skills
- Good C/C++ development skills
- Familiarity with different build environments
- Familiarity with docker/containers and VM
Mathias Payer is a security researcher and professor at the EPFL school of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. Having presented his research 9 times at the Chaos Communication Congress, he is a long time member of the hacker community. His fuzzing research resulted in CVEs for the Linux kernel, Firefox, Android, and embedded systems. More details at: https://nebelwelt.net and @gannimo
Ahmad Hazimeh is a PhD candidate in the HexHive group at EPFL working in fuzzing. His research focuses on measuring, tuning, and optimizing fuzzing for different environments. He is the main author of MAGMA, a benchmark to evaluate different fuzzing strategies. Recently, he shifted his focus towards fuzzing stateful network protocols.