Fuzzing Training

$3,299.00

Duration

3 days

Delivery Method

in-person

Level

beginner / intermediate

Seats Available

20

Duration

3 days

Delivery Method

in-person

Level

beginner / intermediate

ATTEND IN-PERSON: Onsite at Singapore

DATE: 20-22 November 2023

TIME: 09:00-17:00 SGT/GMT +8

Date Day Time Duration
20 Nov Monday 09:00 to 17:00 SGT/GMT +8 8 Hours
21 Nov Tuesday 09:00 to 17:00 SGT/GMT +8 8 Hours
22 Nov Wednesday 09:00 to 17:00 SGT/GMT +8 8 Hours

 


This course have various hands on exercises on fuzzing open source software on linux as well as basics of kernel fuzzing using syzkaller


Fuzzing is a powerful technique for identifying vulnerabilities in software.This hands-on training will cover the theory and practical aspects of fuzzing, including coverage -guided fuzzing, basic blocks and binary instrumentation, corpus collection and minimization, target selection, crash triage and root cause analysis, and real-life CVE analysis. Attendees will have the opportunity to practice fuzzing on windows and Linux and apply the concepts and techniques learned in the training to fuzz real world software. This training is suitable for attendees with a basic understanding of software development and testing.

This training will start from user mode fuzzing and later covers complex topics like linux kernel fuzzing and firmware fuzzing etc.

In this training, attendees will also learn about the different types of vulnerabilities that can be found through fuzzing, including buffer overflows, heap overflows, integer overflows, use -after-free errors, and out-of-bounds read/write errors. We will discuss the underlying causes and potential impacts of these vulnerabilities, as well as how to identify and address them through fuzzing. In addition to coverage-guided fuzzing, we will also introduce other types of fuzzer, such as dumb fuzzers and mutation fuzzers, and discuss their benefits and limitations. Attendees will also learn how to use tools such as GDB and Crashwalk to debug and analyze crashes, and to perform root cause analysis to identify the underlying cause of vulnerabilities.

 

What will the students get

Preconfigured VM on a USB drive with all the course materials and tools installed for this training so that attendees dont need to build or configure anything.

Training Agenda

Day 1
  • Introduction
  • Different types of vulnerabilities
  • Buffer overflow
  • Heap overflow
  • Integer overflow
  • Use after free
  • Out of bound read/Write
  • This will cover some real life vulnerability example as well.
  • Hands on: Manually identifying the vulnerabilities in sample C code.
  • What is fuzzing?
  • Fuzzing Process
  • Different types of fuzzer
  • Dumb fuzzer

○ Example – radmasa

  • mutation fuzzer

○ Example – sulley

  • coverage guided fuzzer.

○ Examples – AFL, WinAFL, AFL++, libfuzzer, Honggfuzz

  • Basic blocks and code coverage
  • Binary instrumentation
  • Corpus collection
  • Corpus minimization
  • What is AFL and AFL++?
  • How does it works?
  • Fork server Vs persistent mode
  • How to write harness for persistent mode
  • Fuzzing Strategies
  • Different Sanitizers
  • ASAN
  • UBSAN
  • MSAN
  • Using AFL
  • How to compile and install AFL++
  • How to compile Simple C program with AFL++
  • Various compilation options for AFL++

○ AFL_HARDEN, AFL_USE_ASAN,
○ AFL_DONT_OPTIMIZE etc.

  • Fuzzing Simple C program using AFL++
  • Fuzzing real world programs
  • Fuzzing TCPDump

○ Getting source code and dependencies
○ Compiling with AFL++
○ Collecting Corpus
○ Minimising Corpus
○ Fuzzing the program
○ Looking at issues found through fuzzing

  • Fuzzing libtiff

○ Getting source code and dependencies
○ Compiling with AFL++
○ Collecting Corpus
○ Minimising Corpus
○ Fuzzing the program
○ Looking at issues found through fuzzing

 

Day 2
  • Recap of what we learned at day 1
  • Advanced Topics with AFL++

o Using persistent mode to improve fuzzing speed
o Using shmem mode to improve fuzzing speed
o Using dictionaries to fuzz
o Fuzzing in Qemu Mode
o Fuzzing Different Arch Binaries with Qemu
o Using CMPLog Feature to fuzz
o Fuzzing network binaries with AFL++

  • Using HongFuzz

o How to compile and install Hongfuzz
o How to run HonggFuzz
o How to compile and fuzz a simple program with HonggFuzz

  • Using LibFuzzer

o How to compile and install LibFuzzer
o How to Write Harness for libfuzzer
o How to compile and fuzz a simple program with libfuzzer

  • Hands on Fuzzing exercises:
  • Fuzzing ImageMagick

○ Getting source code and dependencies
○ Compiling with AFL++
○ Collecting Corpus
○ Minimising Corpus
○ Fuzzing the program
○ Looking at issues found through fuzzing

  • Fuzzing FFMpeg

○ Getting source code and dependencies
○ Compiling with AFL++
○ Collecting Corpus
○ Minimising Corpus
○ Fuzzing the program
○ Looking at issues found through fuzzing

  • Fuzzing libEMF

○ Getting source code and dependencies
○ Compiling with AFL++
○ Collecting Corpus
○ Minimising Corpus
○ Fuzzing the program
○ Looking at issues found through fuzzing

  • Fuzzing libGD

○ Getting source code and dependencies
○ Compiling with AFL++
○ Collecting Corpus
○ Minimising Corpus
○ Fuzzing the program
○ Looking at issues found through fuzzing

  • Fuzzing OpenSSL
  • Writing libfuzzer harness and Rediscovering CVE-2023-0286
  • Writing libfuzzer harness and Rediscovering CVE-2022-3602

 

 

Day 3
  • Recap of what we learned at day2
  • Root cause analysis and debugging using GDB
  • Debugging Sample crashes using GDB
  • Finding root cause
  • Debugging real world vulnerability to find root cause1
  • Debugging real world vulnerability to find root cause2
  • Debugging real world vulnerability to find root cause3
  • Debugging real world vulnerability to find root cause4
  • Crash triaging using Crashwalk

o How to install crashwalk
o Using Cwtriage,Cwdump
o How to use it to do automated crash triaging

  • OSS-Fuzz introduction

o What it is and Theory
o How to set it up locally
o How to build docker images and fuzzers
o How to fuzz various Open Source Software with OSS-Fuzz

  • Firmware Fuzzing

o How to extract firmwares
o How to Fuzz Softwares

  • Linux Kernel Fuzzing

o How to setup syzkaller on system
o Various tools syz-manger etc., dir structure, config files.
o How to configure and build linux kernel for fuzzing
o How to replicate old issue with corpus
o How to fuzz a simple kernel module, write syzkaller descriptions, enabling/disabling syscalls
o How to compile kernel and syzkaller with custom module and definitions
o How to fuzz using syzkaller
o How to replicate crashes
o How to debug crashes with gdb and qemu

 

Q&A and Conclusion

Why You Should Take This Course

This course provide hands on training experience on fuzzing linux software as well as basics of kernel fuzzing using syzkaller.

Who Should Attend

This training is useful for people who are interested in vulnerability discovery and fuzzing

Key Learning Objectives

  • Understanding of how various fuzzers works and their internals. Practical experiance of fuzzing various softwares, analyzing various vulnerabilities to find root cause
  • Prerequisite Knowledge

    This is a beginner friendly course. attendees should have basic knowledge of C/C++ development, debugging using GDB and linux working knowledge

    Hardware / Software Requirements

    A laptop with min 16GB of RAM, 80GB of harddisk, virtualbox/hyper-v/vmware installed.

    Your Instructor

    Hardik Shah (@hardik05) is an experienced cyber security professional with 17+ years of experience in the computer security industry. Currently works as a Principal Security Researcher at Vehere where he is responsible for analysing latest threats, detecting them and product improvements.

    In the past he has worked with various security companies like Sophos, McAfee, and Symantec, where he has built research teams from ground zero, managed various critical cyber threats to provide
    protection to customers, implemented various product features and has mentored many people.
    Hardik is also known for his skills in fuzzing and vulnerability discovery and analysis.

    He has discovered 35+ vulnerabilities in Microsoft and various open source software. He had conducted
    workshops at various industry leading cyber security conferences such as Defcon, Bsides, RSA dark arts, and many others. Hardik enjoys analysing latest threats and figuring out ways to protect
    customers from them.