Class Details
Fuzzing as a methodology has been an area of interest for generations of security researchers and has proved to be a very effective way to find vulnerabilities. It is today broadly used in various initiatives like OSS-Fuzz or syzbot helping open-source projects detecting bugs early on.
However when it comes to auditing closed-source binaries, things are less straightforward. They are interesting targets widely spread on operating systems, smartphones etc. Hopefully, wisely combining public research projects and homemade tools enable achieving efficient, and close to source-level performances.
We used to say “There's nothing like a custom fuzzer for a target”. As such, this training aims at providing trainee concepts, methods and building blocks to create proper harness and fuzzers to deal with real-life softwares.
Through the use of LIEF, QBDI, HF/QBDI, Triton and TritonDSE the training aims at explaining how one can achieve efficient fuzzing on closed-source targets.
Fuzzing research covers a wide range of targets including notably kernel or browser fuzzing. Covering these targets would require a whole training for each of them. Thus, this session focuses on standard userland Linux-based binaries.
Course Objectives
- Giving trainee the methodology, knowledge and means to achieve efficient fuzzing on real-life software
- Enabling facing challenges that fuzzing raises (exotic targets, no source code, etc.)
- Understanding how to build and using our own tools when necessary
Course Topics
Part 1: Introduction to vulnerability research and fuzzing
- Introduction to vulnerability research
- Code review
- Reverse engineering
- Fuzzing
- Introduction to fuzzing
- Methodology (target analysis, attack surface)
- Setup harness writing
- Corpus management
- Monitoring the fuzzing campaign
- Crash triaging
- Common tools
- Limits: hard to reach / detect bugs, inappropriate targets
- Memory sanitizers
Part 2: Instrumentation of binary-only softwares
- Static instrumentation
- Handling and modifying binary formats
- Dynamic instrumentation
- Hooking, Hot-patching, frida
- Dynamic Binary Instrumentation (DBI)
- QBDI, understanding, preload, bindings
- harnessing at binary-level
Part 3: Binary-level fuzzing with Honggfuzz/QBDI
- fuzzing closed-source binaries with Honggfuzz and QBDI
- being faster:
- optimizing instrumentatation
- DBI-based fork-server
- DBI caching mechanism
- DBI persistency
- getting deeper:
- comparison breaking
- function interposition etc.
Part 4: Exploration and vulnerability research with symbolic execution
- introduction to symbolic execution
- SMT solving: concepts, theories (BV, Array)
- usage of SMT for reverse-engineering
- introduction Triton
- TritonDSE: path exploration with Triton
- bridging the gap with fuzzers: building a basic in-memory concolic fuzzer
All softwares and tools provided during this training can be freely used but not shared for those that are not open-sourced (if any).
Who Should Attend
Reverse engineers, software auditors/testers or any security researcher willing to understand core-concepts of binary fuzzing and applying them on any softwares.
Prerequisites & Requirements & Notes
- Basic reverse-engineering skills (x86_64)
- Basic skills in Python and C/C++
- Laptop with (Virtualbox, vmware) as all materials will be provided on a VM
- 10Gb+ disk space
- The more CPU and RAM the better