Fuzzing source-code and binary-only targets like a pro

On day 1 we will see how to effective fuzz targets for which we have source code based on afl++ and libfuzzer. On day 2 we will target binary-only programs based on Qemu, afl-dyninst and other tools.

What is effective, how can we use structure information when fuzzing, how to perform large fuzzing campaigns, does intel-pt help us, and what about other platforms like ARMv7, AARCH64 and PowerPC - this training will give you the answers!

The goal of this class it to perform software security fuzzing (black box, grey box, white box) for finding security vulnerabilities.

Agenda

For source code (white box) we will take a look at afl++ and libfuzzer, understand how they work, prepare our targets in an optimized manner and run them against real-world targets. Then we have a look at the various mutators, schedulers and custom options and what afl compatible fuzzer variants (important!) can help us to make the fuzzing better.

In the next step we will look at how we can add data structures to the fuzzing to make it effective. Finally we will plan a comprehensive large fuzzing campaign for a target - how many instances to run, with which mutators and schedulers and afl variants, and when to replace them.

So we don’t loose time watching fuzzing UI stats, we will use the time during fuzzing to talk about crash analysis, checking the code coverage of our fuzzing and talking about cool afl features.

For binary-only targets (black/grey box) we will see what options we have to fuzz those targets with input driven feedback. Our main tools will be Qemu and afl-dyninst together with afl++ to fuzz targets, but we will also have a look at good alternatives to these like Unicorn, DynamoRIO, Intel PT, etc.

With this on our belt we will even be able to fuzz targets on other platforms like ARM or on *BSD. Additionally we will talk (and try out) other solutions like Intel PT and symbolic execution engines like DynamoRIO and Pintools for fuzzing.

The focus is on Linux on Intel processors but *BSD and Windows, and ARM/AARCH64/… are touched as well - for source code and binary-only fuzzing, although due time constraints all hands-on work will be on Intel Linux. But bring other targets if you have them - you can also choose to fuzz these and get assistance! :-)

Day 1 - Source code

  • Introduction to afl++;
  • How to prepare targets for afl++;
  • Running afl++ effectively;
  • Introduction to libfuzzer;
  • How to effectively code API tests with libfuzzer;
  • How to run libfuzzer effectively;
  • Structure fuzzing with afl++ and libfuzzer;
  • Customer mutators and special input requirements;
  • How to fuzz network services in targets;
  • afl-compatible alternatives;
  • Verifying fuzzing code coverage;
  • Tips, tricks, features for afl++;
  • Setting up a comprehensive, effective fuzzing campaign for a target.

Day 2 - Binary-only

  • Possible sources for fuzzing feedback;
  • Fuzzing with afl-dyninst;
  • Fuzzing with Qemu;
  • Alternatives for feedback driven fuzzing binary-only targets;
  • Introduction to the Unicorn engine and symbolic execution for fuzzing;
  • Using winafl on Windows to fuzz DLLs - and other alternatives to winafl.
  • “I have 256 crashes - now what?” - we will answer this :-)!

Prerequisites

Students should have a good experience with Linux and be comfortable coding in C/C++, also basic debugging experience is helpful.

Requirements

Students must bring a laptop with Linux installed (VM or native), Kali Linux is highly recommended. If you want to fuzz on Windows, a Windows VM is recommended for those interested, there wont be group exercises for this though, but I will help out if you want to play there - or any other processor or OS platform.

The trainer is one of the maintainers of afl++. Expect the training to go way past the 17:00 deadline!

About the Speaker