Fuzzing source-code and binary-only targets like a pro

On day 1 we will see how to effective fuzz targets for which we have source code based on afl++ and libfuzzer. On day 2 we will target binary-only programs based on Qemu, afl-dyninst and Unicorn.

What is effective, how can we use structure information when fuzzing, how to perform large fuzzing campaigns, does intel-pt help us, and what about other platforms like ARMv7, AARCH64 and PowerPC - this training will give you the answers!

The goal of this class it to perform software security fuzzing (black box, grey box, white box) for finding security vulnerabilities.

Agenda

For source code (white box) we will take a look at afl++ and libfuzzer, understand how they work, prepare our targets in an optimized manner and run them against real-world targets. Then we have a look at the various mutators, schedulers and custom options and what afl compatible fuzzer variants (important!) can help us to make the fuzzing better.

In the next step we will look at how we can add data structures to the fuzzing to make it effective. Finally we will plan a comprehensive large fuzzing campaign for a target - how many instances to run, with which mutators and schedulers and afl-variants, and when to replace them.

So we don’t loose time watching fuzzing UI stats, we will use time while fuzzing to talk about crash analysis, checking the code coverage of our fuzzing and talking about cool afl features.

For binary-only targets (black/grey box) we will see what options we have to fuzz those targets with input driven feedback. Our main tools will be Qemu and afl-dyninst together with afl++ to fuzz targets, but we will also have a look at good alternatives to these. Additionally we will have an introduction to the Unicorn engine for full systems emulation.

With this on our belt we will even be able to fuzz targets from other platforms like ARM on a fast Intel CPU. Additionally we will talk (and try out) other solutions like intel-pt and symbolic execution engines like DynamoRIO and Pintools for fuzzing.

The focus is on Linux on Intel processors but *BSD and Windows, and ARM/AARCH64/… are covered as well - for source code and binary-only fuzzing.

Day 1 - Source code

  • Introduction to afl++;
  • How to prepare targets for afl++;
  • Running afl++ effectively;
  • Introduction to libfuzzer;
  • How to effectively code API tests with libfuzzer;
  • How to run libfuzzer effectively;
  • Structure fuzzing with afl++ and libfuzzer;
  • Customer mutators and special input requirements;
  • How to fuzz network services in targets;
  • afl-compatible alternatives;
  • Verifying fuzzing code coverage;
  • Tips, tricks, features for afl++;
  • Setting up a comprehensive, effective fuzzing campaign for a target.

Day 2 - Binary-only

  • Possible sources for fuzzing feedback;
  • Fuzzing with Qemu;
  • Fuzzing with afl-dyninst;
  • Alternatives for feedback driven fuzzing binary-only targets;
  • Introduction to the Unicorn engine;
  • Introduction to symbolic execution for fuzzing;
  • Using winafl on Windows to fuzz DLLs;
  • “I have 256 crashes - now what?” - we will answer this :-)!

Prerequisites

Students should have a good experience with Linux and be comfortable coding in C/C++, also basic debugging experience is helpful.

Requirements

Students must bring a laptop with Linux installed (VM or native), Kali Linux is highly recommended. For the Windows components, a Windows VM is recommended for those interested.

The trainer is one of the maintainers of afl++. Expect the training to go way past the 17:00 deadline!

About the Speaker