Demystifying Low-Tech Fuzzing: Unconventional Approaches to Uncovering CVEs // Marc Schoenefeld
In-Person | March 20-21 | 2 Days
BOOK NOWABSTRACT
The "Demystifying Low-Tech Fuzzing: Unconventional Approaches to Uncovering CVEs" class is a new kid on the block. Fuzzing has been around for a while, we have seen instrumentation, we have seen various approaches to x-ray applications to maximize coverage and other technical metrics. However, in practice, it is often not relevant, how technical sophisticated a campaign setup is along the way, but typically folks care more about the number and validity of findings at the end of journey. Therefore, this training we are focusing on shortening the eLort and time from starting a campaign towards harvesting the results.
In this class the path from zero to hero in shortening fuzzing workflows is shown. Along that way you learn a lot of tips and tricks, that you contribute to successfully findings bugs. This is both helpful for quality engineering as well as for findings security vulnerabilities. A crucial goal is to provide students with a seventh sense for shortcuts when dealing with campaign setups, coverage settings, corpora selection, instrumentation and emulated execution and other pressure points that squeeze bugs out of code. Future bug hunters will be equipped with heuristics to scan open-source projects for their blind spots fuzzing-wise to find novel bugs and CVEs.
To enhance the quality of findings students will also learn about heisenbugs, minimization. This training focuses on fuzzing code in various languages, ranging from Java over JavaScript to Rust and of course also in C/C++.
Demystifying Low-Tech Fuzzing: Unconventional Approaches to Uncovering CVEs // Marc Schoenefeld
In-Person | March 20-21 | 2 Days
INTENDED AUDIENCE
- Software developers and quality engineers
- Pentesters working on assessments
- Blue Team/Red Team, who cares, everybody wants to find bugs
- Bug hunters who want to harvest new crashes for later exploitation
- Private and public institutions
- Closed and open-source software vendors
KEY LEARNING OBJECTIVES
- Introduction to the basic principles of fuzzing
- Setting up campaigns with the typical tools and frameworks
- Know the pros and cons of typical fuzzing frameworks
- Narrowing the search space with cherry-picking good dictionaries, corpora
- Explore short cuts to the established tools as described above
- How to work with mixed-language fuzzing (JNI, FFI, ..)
- Fuzzing source-based or binary-based, or both
- Explore blind spots in fuzzing coverage, reflect on automatic test case generation
- Get a feeling for successfully repurposing artifacts and corpora
- Avoid writing custom harness code where possible, focusing to use code as-is
- First Example Lab: Finding a CVEs in well-known cryptography frameworks, compare various approaches and explore shortcuts
- Another Example Lab: Finding a CVE in a JavaScript Server Execution Framework, reuse artifacts and find pressure points in mixed language setups
- Polyglot Example Labs: Fuzzing Rust, JavaScript and Java, identify targets, finetune tools, keep up with tool decay
- Practice, practice, practice. "Übung macht den Meister"
COURSE DETAILS
Part 1: From ground to cruising altitude
- Introduction to the basic principles of fuzzing
- Simple fuzzers, zzuf, radamsa
- More complex tools like honggfuzz, AFLPlusPlus, LibFuzzer
- How to compare and select a framework based on pros and cons
- Setting up campaigns with the typical tools and frameworks
- Throw dictionaries and corpora into the mix
- Excursus: Generative fuzzing, write your own tools
- Excursus: Math is your friend, visit examples of pressure points due to code complexity
- Must-have skill: Reading stack trace, compare and triage findings based on their crash state
- Example: Run a campaign on a well-known software project in C/C++
- Example: Run a campaign on a well-known software project in Java
- Enough Exercises to get the haptics with the presented material
- Wrap up the first part
Part 2: Move on along the way, exploring hidden potential
- Example: Rust and it’s approach and integration of Fuzzing
- Mixed-language fuzzing, JNI, FFI, various approaches and tools
- Deep dive, a well-known cryptography framework, from the identification of fuzzing blind spots towards CVE harvesting
- Exercise: Haptically apply the deep dive on a well-known server software
- Excursus: Commit logs are friends too, minimal eLort harnesses by fuzzifying existing functional tests, to find more of the same
- System settings and how they contribute to bug discovery rate
- How to debug/triage your crash findings 101 , C/C++ and Java
- Missing source-code? Exploring a crash location with Ghidra
- How to repurpose artifacts wherever possible, laziness can be a virtue
- Learn to Identify ahead of time actions save valuable time
- Apply AI for test optimization, but avoid the typical fails
- Excursus: Can I fuzz Android, too?
- Exercises, Exercises
KNOWLEDGE PREREQUISITES
- Familiarity with software development in at least one major language (preferable C/C++ and/or Java). The more language proficiency the more to take away.
- Familiarity with crash analysis in GDB, and the relevant assembly language (arm, intel or better both)
- Proficiency on the Linux command line, understand and write basic bash or zsh scripts
- Writing scripts in a preferred language
- Have Fun in breaking stuL
HARDWARE REQUIREMENTS
- A modern laptop with a capability of running Ubuntu 20 or 22
- 8 GB, better 16 GB, life is too short to wait for paging
- Have root access to the Linux installation
- Working WiFi or LTE to potentially download stuL
- At least 50 GB free space
SOFTWARE REQUIREMENT
- Have a VM with Ubuntu 20 or 22 , at least gcc, g++, gdb and a git client installed
- Can be WSL, Docker or in VirtualBox
- Nanny Note: Fuzzing can have side effects, make data backups before the training, practice the restore
YOUR INSTRUCTOR: MARC SCHOENEFELD
Marc has a 23-year track record of finding CVE-classified vulnerabilities. Ever since starting as intern with COBOL programming in the 1990s he showed interest in breaking software. Tired of finding strcpy-bugs in the late 1990s he welcomed the arrival of the new Java programming language, for which he researched and presented native attack vectors as early as at Blackhat 2002.
From that point in time, he pursued his research in Java Security and received his Dr. rer. nat. (similar to PhD) in 2010 from the University of Bamberg. His thesis covered the topic of Security Antipatterns in Distributed Java Components. In 2011 he published a book with the title "Java Security". He continuously worked on these topics during his day work positions as security architect at (former) GAD, then for the Red Hat Security Team, and now for the Java Team at Oracle.
Besides the work about Java Security his other interests are focused on Android Security and static and dynamic bug discovery, writing tools for scanning binaries as well as many fuzzing tools. With some of them he found bounty-rewarded CVE bugs in Chrome, Firefox and Microsoft Windows. Most (2022-present) recently he was successful in exposing blind spots in OSS-Fuzz by finding bugs in unique bugs OpenSSL and Node.js. He also likes to find bugs in macOS and multi-media applications, recently a heap overflow in GarageBand, which even made it to an article in the Forbes magazine.
Marc is a regular speaker and trainer at conferences such as Java One, HackInTheBox, Xcon, BlackHat and CanSecWest.
Further he published undx, one of the first proof-of-concepts for a Dalvik decompilation infrastructure, also he worked on an omg.org "CORBA success story" in banking. He has multiple C64s (also the SX), currently drives an Italian car, and in 2015 was a language trainer for war refugees to teach the basics of the German syntax and grammar.