If you just want to use fuzzers for QA purposes, this talk is not for you. If you want to really use fuzzers to find security vulnerabilities and write real exploit or at least to understand how people are actually doing that professionally, let’s have fun together.
This talk will cover the integration between fuzzers and debuggers, showing how important is to have target’s internal information to discover complex vulnerabilities and to differentiate then from simple crashes. This problem is even increased when you have thousands crashes that needs to be analyzed and prioritized.
Fuzzers became the most important technology in finding software vulnerabilities nowadays. The biggest problem in fuzzing is to determine the exploitability of the problems you will find. We are going to show the ideas behind the tools and the tools in action.
Rodrigo Rubira Branco (BSDaemon) works as Principal Security Researcher at Intel Corporation and is the Founder of the Dissect || PE Malware Analysis Project. Held positions as Director of Vulnerability & Malware Research at Qualys and as Chief Security Research at Check Point where he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previous to that, he worked as Senior Vulnerability Researcher in COSEINC, as Principal Security Researcher at Scanit and as Staff Software Engineer in the IBM Advanced Linux Response Team (ALRT) also working in the IBM Toolchain (Debugging) Team for PowerPC Architecture. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest and biggest security research conference in Latin America. He is an active contributor to open-source projects (like ebizzy, linux kernel, others). Accepted speaker in lots of security and open-source related events as H2HC, Black Hat, Hack in The Box, XCon, VNSecurity, OLS, Defcon, Hackito, Ekoparty, Troopers and others.