On This Page

Practical Vulnerability Discovery with Fuzzing

Brian Gorenc & Abdul-Aziz Hariri | August 4-5



Overview

Finding vulnerabilities in modern software requires knowledge of multiple frameworks and an in-depth understanding of thousands of lines of code. Manually auditing these sizable code bases is impractical without the aid of automation. This course is designed to introduce students to the concept of vulnerability discovery through fuzzing, triaging security vulnerabilities, and determining the exploitability of crashing conditions.

Students will be exposed to techniques to quickly identify common patterns in specifications that produce vulnerable conditions, learn the process to build a successful fuzzer, and highlight public fuzzing frameworks that produce quality results. These concepts will be reinforced with "real world" case studies that demonstrate the fundamentals being introduced. By the end of the course, the students will be able to leverage existing fuzzing frameworks, develop their own test harnesses, integrate publicly available data generation engines and automate the analysis of crashing test cases.

Some of the topics to be covered include:

  • Protocol and specification analysis
  • Mutational and grammar-based input generation
  • Target monitoring using custom developed test harnesses
  • Best practices in analyzing software exceptions
  • Tips and guidance in how to discover 0-day vulnerabilities

Who Should Take this Course

This class is aimed at individuals who wish to learn the fundamentals of the fuzzing process, develop advanced fuzzing frameworks, and/or improve their bug finding capabilities. The material is suitable for any individual that meets the prerequisites.

Student Requirements

  • Students taking this course should have a familiarity with basic computer science concepts, such as programming, debugging, and operating system behavior.
  • Students should be comfortable with the Python programming language and be able to comprehend basic x86 machine code.
  • Some familiarity with software vulnerabilities and software exploitation would also be useful but are not necessary.

What Students Should Bring

  • Laptop should have at least 20GB of free HD space and should have 8GB+ of RAM.
  • VMware workstation for Windows or Fusion for the Mac should be installed

What Students Will Be Provided With

VM Environment and Printed Course Material

Trainers

Brian Gorenc is the director of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world's most popular software. Brian is also responsible for organizing and adjudicating the ever-popular Pwn2Own hacking competitions. Gorenc has been with ZDI since 2012, continually working on discovering new vulnerabilities, analyzing attack techniques, and identifying vulnerability trends. His work has led to the discovery and remediation of numerous critical vulnerabilities in Microsoft, Adobe, Oracle, open-source, SCADA systems, and embedded devices. He has presented at numerous security conferences such as Black Hat, DEF CON, Breakpoint, Ruxcon, PacSec, REcon and RSA. More recently, Brian led the team that was awarded the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense bounty, which resulted in $125,000 being donated to STEM programs. During his leadership, the Zero Day Initiative program coordinated the disclosure of over 2000 zero-day vulnerabilities.

Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations.