## Class Details
Fuzzing as a methodology has been an area of interest for generations of security
researchers and has proved to be a very effective way to find vulnerabilities. It
is today broadly used in various initiatives like OSS-Fuzz or syzbot helping open-source
projects detecting bugs early on.
However when it comes to auditing closed-source binaries, things are less straightforward.
They are interesting targets widely spread on operating systems, smartphones etc. Hopefully,
wisely combining public research projects and homemade tools enable achieving efficient, and
close to source-level performances.
We used to say "There's nothing like a custom fuzzer for a target". As such, this training
aims at providing trainee concepts, methods and building blocks to create proper harness
and fuzzers to deal with real-life softwares.
Through the use of LIEF, QBDI, HF/QBDI, Triton and TritonDSE the training aims at explaining
how one can achieve efficient fuzzing on closed-source targets.
Fuzzing research covers a wide range of targets including notably kernel or browser fuzzing.
Covering these targets would require a whole training for each of them. Thus, this session
focuses on standard userland Linux-based binaries.
## Course Objectives
* Giving trainee the methodology, knowledge and means to achieve efficient fuzzing on real-life
software
* Enabling facing challenges that fuzzing raises (exotic targets, no source code, etc.)
* Understanding how to build and using our own tools when necessary
## Course Topics
#### Part 1: Introduction to vulnerability research and fuzzing
1. Introduction to vulnerability research
* Code review
* Reverse engineering
* Fuzzing
2. Introduction to fuzzing
* Methodology (target analysis, attack surface)
* Setup harness writing
* Corpus management
* Monitoring the fuzzing campaign
* Crash triaging
* Common tools
* Limits: hard to reach / detect bugs, inappropriate targets
* Memory sanitizers
#### Part 2: Instrumentation of binary-only softwares
1. Static instrumentation
* Handling and modifying binary formats
2. Dynamic instrumentation
* Hooking, Hot-patching, frida
* Dynamic Binary Instrumentation (DBI)
* QBDI, understanding, preload, bindings
* harnessing at binary-level
#### Part 3: Binary-level fuzzing with Honggfuzz/QBDI
* fuzzing closed-source binaries with Honggfuzz and QBDI
* being faster:
* optimizing instrumentatation
* DBI-based fork-server
* DBI caching mechanism
* DBI persistency
* getting deeper:
* comparison breaking
* function interposition etc.
#### Part 4: Exploration and vulnerability research with symbolic execution
* introduction to symbolic execution
* SMT solving: concepts, theories (BV, Array)
* usage of SMT for reverse-engineering
* introduction Triton
* TritonDSE: path exploration with Triton
* bridging the gap with fuzzers: building a basic in-memory concolic fuzzer
All softwares and tools provided during this training can be freely
used but not shared for those that are not open-sourced (if any).
## Who Should Attend
Reverse engineers, software auditors/testers or any security researcher willing to
understand core-concepts of binary fuzzing and applying them on any softwares.
## Prerequisites & Requirements & Notes
* Basic reverse-engineering skills (x86_64)
* Basic skills in Python and C/C++
* Laptop with (Virtualbox, vmware) as all materials will be provided on a VM
* 10Gb+ disk space
* The more CPU and RAM the better
Jeremy Marchand is a software security researcher focusing on reverse and fuzzing various type of targets. He works at Quarkslab in the Automated Analysis team.
Robin David
Robin David is a French software security researcher focused on reverse engineering and software testing (fuzzing and symbolic execution). He originally holds a PhD from the Atomic Energy Comission (CEA) where he attacked obfuscation using formal methods and symbolic execution. He is now full-time security researcher at Quarkslab where he is leading the automated analysis team.
#### TRAINING SCHEDULE
| | |
|------------------|-------------------|
| FEB 27 Monday | Live Lecture (4h) |
| FEB 28 Tuesday | Live Lecture (4h) |
| MAR 01 Wednesday | Live Lecture (4h) |
| MAR 02 Thursday | Live Lecture (4h) |
| MAR 03 Friday | Live Lecture (4h) |
| MAR 06 Monday | Live Lecture (4h) |
##### Live Lecture Timings
| | |
|---------------|-----------------|
| 9 am - 1 pm | US Pacific Time |
| 12 pm - 4 pm | US Eastern Time |
| 5 pm - 9 pm | UK |
| 6 pm - 10 pm | CET |
#### TRAINING SCHEDULE
This training shall be conducted during
**EXACT LECTURE DATES SHALL BE ANNOUNCED SOON.**
