Introduction to Fuzzing
In this training you will learn how a fuzzer works, how to build your own fuzzers for specific file formats, have a chance to discover some of the most infamous vulnerabilities yourself.
Many of the vulnerabilities with the biggest impact of the last years were discovered using a technique called fuzzing. Fuzzing is an automated vulnerability anlaysis technique based on mutating data that is then feed into a program to find crashes, buffer overflows, heap overflows and other software issues.
In this training you will learn how a fuzzer works, how to build your own fuzzers for specific file formats, have a chance to discover some of the most infamous vulnerabilities yourself and also learn how to efficiently analyze fuzzing results. Beyond writing your own fuzzers this course will also cover one of the most popular fuzzers in use today, i.e. American Fuzzy Lop, and how to perform fuzz testing efficiently on software.
Day one starts with looking at the theory of fuzzing: How does it work? Why is it so efficient? What kind of fuzzers exist?
Next participants will learn how to write a couple of custom fuzzers in Python, starting with completely random fuzzers and then building targeted fuzzers for specific file formats.
Participants will also have the opportunity to learn how to improve fuzzing speed using different techniques, and how to analyze the crash-results and quickly judge the likelyhood of exploitability.
On day participants will have an opportunity to look at different "ready to use" fuzzers, such as American Fuzzy Lop, and how they work. Participants will leanr how to use code-path analysis to improve fuzzers, and how to instrument real software libraries for fuzzing.
We will also take a brief look at using emulation for fuzzing - which allows you to fuzz low-level code such as kernels, firmware, and more.
At the end of the training you will be able to instrument software, and start discover you own vulnerabilities using fuzzing. You will also learn how to integrate fuzzing into your secure software development lifecycle and your testing pipeline.
- Basic Linux skills (Navigation in the shell, using make, compiling a program using gcc)
- Good C skills (As we will work a lot on C codebases)
- Basic understanding of memory corruption vulnerabilities such as buffer overflows
- Basic Python skills (As we will write a lot of fuzzers in Python)