Security Training

Automating vulnerability discovery with Fuzzing.

Automating the process of uncovering programming errors in software is a well-known task. Fuzzing is one of the core techniques for doing this and the basic idea behind fuzzing is to send large amounts of pseudo-random inputs to a given target application and for each input observe whether the input triggers any faulty behaviour in the target. This technique has drastically increased in popularity in recent years. For example, the oss-fuzz project run by Google has found over 16,000 bugs in 250 open source projects since its inception in January 2017 to January 2020.

Many research efforts have been put into fuzzing, so whereas fuzzing was originally introduced as sending large amounts of random inputs, the concept has now evolved into sophisticated science that relies on rigorous program analysis techniques to optimally send “interesting’’ inputs in large amounts. Some fuzzers even adapt techniques from software verification to ensure a more calculated approach to crafting inputs. Traditionally, fuzzing focused on memory corruption bugs that often trigger sophisticated exploits and can discover a variety of types like stack-based buffer overflows, heap-based buffer overflows, memory-out-of-bounds, null-pointer dereference and useafter-free. However, more recently we have seen progress in the fuzzing of managed languages, e.g. Java and Go, as well.

Fuzzing is popular in the industry. The Behemoths of the software industry like Microsoft and Google have performed fuzzing for more than a decade now. DARPA invested more than 55 million in a project called Cyber Grand Challenge where more than 100 teams developed new techniques for automated vulnerability discovery and the vast majority of top-performing teams relied on Fuzzing as the main way of finding vulnerabilities. Fuzzing has empirically proven itself as a major way of automating the bug-finding process and the technique has placed itself as one of the de facto standards for ensuring secure software.

In this course we will introduce the concept of fuzzing and we will guide you from beginner concepts to the state-of-the-art techniques. Along the way we will provide you with thorough intuition for the concepts and also give many guidelines on how to fuzz effectively. The course is focused on delivering knowledge about the best tools and techniques in fuzzing, in a practical manner such that the knowledge can be applied on modern technology. The course is designed to have large focus on hands-on tasks, so be ready to write actual fuzzers and find real bugs.

Learning objectives
  • To provide students with a fundamental understanding of fuzzing, program analysis and vulnerability discovery.
  • To bring students up to speed with the latest tools and techniques in fuzzing.
  • To enable students to develop effective fuzz targets for arbitrary code packages, including file parsers, web browsers, binary applications and more.
  • To give the student an intuition of how to effectively deploy fuzzing.
  • To familiarise students with the latest research in the world of fuzzing and vulnerability discovery.
  • To reinforce the above knowledge through exercises and hands-on experiences against realworld technologies.
Who should attend?
  • Security engineers
  • Vulnerability researchers.
  • Red team professionals
  • Developers
  • Program analysis researchers

In the course we will be reading a lot of C/C++ code, so it is expected that that students have some familiarity with programming, however, there is no need for being an experienced developer by any means