Workshop: Find more bugs efficiently with easy fuzzing recipes

MARC SCHOENEFELD

March 22 @ TCC >>

Abstract

Introduction:

There’s a common misconception that successful fuzzing is synonymous with complex tools, and that these tools necessitate significant effort in both preparation and operation to uncover CVEs in high-value targets.

Objective:

This workshop aims to debunk this myth by showcasing various strategies that can expedite the process of identifying vulnerabilities. We’ll demonstrate that a well-orchestrated fuzzing campaign can often be built upon simple tools. With a deep understanding of the system under test, intricate features such as instrumentation can be replaced by fine-tuning the focus towards the fuzzing target area.

Methodology:

We’ll illustrate how this can be achieved proactively by selecting an efficient fuzzing harness and/or corpus from the outset. Practical criteria for choosing existing harnesses or creating new ones will be presented.

Practical Application:

As the ultimate goal of fuzzing is to discover intriguing bugs, we’ll engage participants in interactive sessions where we’ll navigate through various scenarios to find real-life CVEs in high-value targets like Node.js, OpenSSL, and more.

REGISTER NOW

Workshop Outline

Introduction

  • Overview of the workshop
  • Explanation of fuzzing and its importance

Understanding the Basics

  • Debunking the myth of complex tools for successful fuzzing
  • Discussion on the system under test and the concept of a fuzzing target area

Fuzzing Strategies

  • Demonstration of various strategies to expedite vulnerability identification
  • Discussion on the selection and creation of efficient fuzzing harnesses and/or corpus

Practical Application

  • Interactive session on finding real-life CVEs in high-value targets like Node.js, OpenSSL, etc.
  • Participants engage in hands-on activities within a Linux VM workshop environment
  • Activities close with an open Forum to present own approaches or ask questions

Wrap-up and Conclusion

  • Recap of the workshop’s key points
  • Discussion on further resources and learning paths
  • Closing remarks and end of workshop

Prerequisites:

Participants should have familiarity with Unix-like command line utilities, as the hands-on activities will be conducted within a Linux workshop environment using a VirtualBox VM. You can also come with UTM or WSL, but ymmv.

BOOTSTRAP25's Workshop rooms

Marc's BOOTSTRAP25 Training

All trainings come with complimentary access to our BOOTSTRAP25 event! Book a virtual or in-person trainings and get a taste of the others at BOOTSTRAP25!

Demystifying Low-Tech Fuzzing: Unconventional Approaches to Uncovering CVEs
The “Low Tech Fuzzing” class is designed to teach students efficient fuzzing techniques to quickly find and validate bugs in software.
Ringzer0Ringzer0

In-Person Training | March 20-21

REGISTER NOW

Marc Schoenefeld

Marc has a 23-year track record of finding CVE-classified vulnerabilities. Ever since starting as intern with COBOL programming in the 1990s he showed interest in breaking software. Tired of finding strcpy-bugs in the late 1990s he welcomed the arrival of the new Java programming language, for which he researched and presented native attack vectors as early as at Blackhat 2002.

From that point in time, he pursued his research in Java Security and received his Dr. rer. nat. (similar to PhD) in 2010 from the University of Bamberg. His thesis covered the topic of Security Antipatterns in Distributed Java Components. In 2011 he published a book with the title "Java Security". He continuously worked on these topics during his day work positions as security architect at (former) GAD, then for the Red Hat Security Team, and now for the Java Team at Oracle.

Besides the work about Java Security his other interests are focused on Android Security and static and dynamic bug discovery, writing tools for scanning binaries as well as many fuzzing tools. With some of them he found bounty-rewarded CVE bugs in Chrome, Firefox and Microsoft Windows. Most (2022-present) recently he was successful in exposing blind spots in OSS-Fuzz by finding bugs in unique bugs OpenSSL and Node.js. He also likes to find bugs in macOS and multi-media applications, recently a heap overflow in GarageBand, which even made it to an article in the Forbes magazine.

Marc is a regular speaker and trainer at conferences such as Java One, HackInTheBox, Xcon, BlackHat and CanSecWest.

Further he published undx, one of the first proof-of-concepts for a Dalvik decompilation infrastructure, also he worked on an omg.org "CORBA success story" in banking. He has multiple C64s (also the SX), currently drives an Italian car, and in 2015 was a language trainer for war refugees to teach the basics of the German syntax and grammar.

https://www.linkedin.com/in/marcschoenefeld/

REGISTER NOW
Ringzer0 ★ BOOTSTRAP25
Welcome To BOOTSTRAP25 Thompson Conference Center, Austin TX // March 18-22 BOOK NOW Keep Austin reverse-engineering and learn with Ringzer0! Ringzer0 returns to the Thompson Conference Center, Austin, TX in March 2025 with BOOTSTRAP25, a celebration of South-West Cyber. Our one-day event follows a week of intense reverse engineering. Come for
Ringzer0Ringzer0

All BOOTSTRAP25 + Bootloader Mixer Talks and Workshops

See also
Our Sponsors
Gallery Image
Gallery Image
Gallery Image
Gallery Image
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated