Fuzzing with American Fuzzy Lop, Address Sanitizer and LibFuzzer

From March 20, 2017 to March 21, 2017

This workshop will give an introduction to bug finding techniques targeted at C/C++ code.

The participants will learn to use Address Sanitizer and other sanitizer features from gcc and clang under Linux. They will also get an introduction to the fuzzing tools American fuzzy lop and libfuzzer.

Address Sanitizer is a compiler feature that can find various memory corruption issues like buffer overflows and use after free errors.

American fuzzy lop and libfuzzer are instrumentation-based fuzzing tools that have uncovered a large number of bugs in the past.

Requirements

Participants should bring a laptop that is either running a linux distribution with a current version of gcc (at least 4.9) or can run a virtual machine with such a system. (A virtual machine image can be provided if needed.) Participants should have at least a basic understanding of C coding and know how to compile applications under Linux.

Hanno Böck

Hanno Böck is regularly covering IT security topics as a freelance journalist for various publications, most notably Golem.de. He also runs the Fuzzing Project, an effort to improve the security of free and open source software that is funded by the Linux Foundation's Core Infrastructure Initiative. He is also the author of the monthly Bulletproof TLS newsletter [1].

Notable publication: Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS - https://eprint.iacr.org/2016/475 (presented at Black Hat and Usenix WOOT)

Also see webpage [1] and blog [2] of speaker.

[1] https://www.feistyduck.com/bulletproof-tls-newsletter/

[2] https://hboeck.de/

[3] https://blog.hboeck.de/