Demystifying Low-Tech Fuzzing: Unconventional Approaches to Uncovering CVEs // Marc Schoenefeld

In-Person | March 20-21 | 2 Days

BOOK NOW

ABSTRACT

The "Demystifying Low-Tech Fuzzing: Unconventional Approaches to Uncovering CVEs" class is a new kid on the block. Fuzzing has been around for a while, we have seen instrumentation, we have seen various approaches to x-ray applications to maximize coverage and other technical metrics. However, in practice, it is often not relevant, how technical sophisticated a campaign setup is along the way, but typically folks care more about the number and validity of findings at the end of journey. Therefore, this training we are focusing on shortening the eLort and time from starting a campaign towards harvesting the results.

In this class the path from zero to hero in shortening fuzzing workflows is shown. Along that way you learn a lot of tips and tricks, that you contribute to successfully findings bugs. This is both helpful for quality engineering as well as for findings security vulnerabilities. A crucial goal is to provide students with a seventh sense for shortcuts when dealing with campaign setups, coverage settings, corpora selection, instrumentation and emulated execution and other pressure points that squeeze bugs out of code. Future bug hunters will be equipped with heuristics to scan open-source projects for their blind spots fuzzing-wise to find novel bugs and CVEs.

To enhance the quality of findings students will also learn about heisenbugs, minimization. This training focuses on fuzzing code in various languages, ranging from Java over JavaScript to Rust and of course also in C/C++.

Demystifying Low-Tech Fuzzing: Unconventional Approaches to Uncovering CVEs // Marc Schoenefeld

In-Person | March 20-21 | 2 Days

BOOK NOW

INTENDED AUDIENCE

  • Software developers and quality engineers
  • Pentesters working on assessments
  • Blue Team/Red Team, who cares, everybody wants to find bugs
  • Bug hunters who want to harvest new crashes for later exploitation
  • Private and public institutions
  • Closed and open-source software vendors

KEY LEARNING OBJECTIVES

  • Introduction to the basic principles of fuzzing
  • Setting up campaigns with the typical tools and frameworks
  • Know the pros and cons of typical fuzzing frameworks
  • Narrowing the search space with cherry-picking good dictionaries, corpora
  • Explore short cuts to the established tools as described above
  • How to work with mixed-language fuzzing (JNI, FFI, ..)
  • Fuzzing source-based or binary-based, or both
  • Explore blind spots in fuzzing coverage, reflect on automatic test case generation
  • Get a feeling for successfully repurposing artifacts and corpora
  • Avoid writing custom harness code where possible, focusing to use code as-is
  • First Example Lab: Finding a CVEs in well-known cryptography frameworks, compare various approaches and explore shortcuts
  • Another Example Lab: Finding a CVE in a JavaScript Server Execution Framework, reuse artifacts and find pressure points in mixed language setups
  • Polyglot Example Labs: Fuzzing Rust, JavaScript and Java, identify targets, finetune tools, keep up with tool decay
  • Practice, practice, practice. "Übung macht den Meister"

COURSE DETAILS

Part 1: From ground to cruising altitude

  • Introduction to the basic principles of fuzzing
  • Simple fuzzers, zzuf, radamsa
  • More complex tools like honggfuzz, AFLPlusPlus, LibFuzzer
  • How to compare and select a framework based on pros and cons
  • Setting up campaigns with the typical tools and frameworks
  • Throw dictionaries and corpora into the mix
  • Excursus: Generative fuzzing, write your own tools
  • Excursus: Math is your friend, visit examples of pressure points due to code complexity
  • Must-have skill: Reading stack trace, compare and triage findings based on their crash state
  • Example: Run a campaign on a well-known software project in C/C++
  • Example: Run a campaign on a well-known software project in Java
  • Enough Exercises to get the haptics with the presented material
  • Wrap up the first part

Part 2: Move on along the way, exploring hidden potential

  • Example: Rust and it’s approach and integration of Fuzzing
  • Mixed-language fuzzing, JNI, FFI, various approaches and tools
  • Deep dive, a well-known cryptography framework, from the identification of fuzzing blind spots towards CVE harvesting
  • Exercise: Haptically apply the deep dive on a well-known server software
  • Excursus: Commit logs are friends too, minimal eLort harnesses by fuzzifying existing functional tests, to find more of the same
  • System settings and how they contribute to bug discovery rate
  • How to debug/triage your crash findings 101 , C/C++ and Java
  • Missing source-code? Exploring a crash location with Ghidra
  • How to repurpose artifacts wherever possible, laziness can be a virtue
  • Learn to Identify ahead of time actions save valuable time
  • Apply AI for test optimization, but avoid the typical fails
  • Excursus: Can I fuzz Android, too?
  • Exercises, Exercises

KNOWLEDGE PREREQUISITES

  • Familiarity with software development in at least one major language (preferable C/C++ and/or Java). The more language proficiency the more to take away.
  • Familiarity with crash analysis in GDB, and the relevant assembly language (arm, intel or better both)
  • Proficiency on the Linux command line, understand and write basic bash or zsh scripts
  • Writing scripts in a preferred language
  • Have Fun in breaking stuL

HARDWARE REQUIREMENTS

  • A modern laptop with a capability of running Ubuntu 20 or 22
  • 8 GB, better 16 GB, life is too short to wait for paging
  • Have root access to the Linux installation
  • Working WiFi or LTE to potentially download stuL
  • At least 50 GB free space

SOFTWARE REQUIREMENT

  • Have a VM with Ubuntu 20 or 22 , at least gcc, g++, gdb and a git client installed
  • Can be WSL, Docker or in VirtualBox
  • Nanny Note: Fuzzing can have side eLects, make data backups before the training, practice the restore
💥
Participants with an Apple Silicon Mac may be able to see a real-life kernel panic

YOUR INSTRUCTOR: MARC SCHOENEFELD

22 year record of CVE-classified bugs

  • speaker and trainer at numerous conferences (Blackhat, CanSecWest, JavaOne, HackInTheBox,Xcon)
  • published Scanapk and undx, by their release time valuable tools for Android reversing
  • Google chrome hall of fame, F-Secure hall of fame

Random past non-security achievements:

https://www.linkedin.com/in/marcschoenefeld/

Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated