Black Hat USA 2008 Training
Caesars Palace Las Vegas • August 2-3, August 4-5
Effective Fuzzing: Using the Peach Fuzzing Platform
Michael Eddington, Leviathan
Blake Frantz, Leviathan
Overview
The entirety of the course is student centric, hands on, and lab intensive. On day one, students will be instructed on the use of the Peach Fuzzing Platform, from a practitioner's perspective, learning the ways in which Peach can be used to fuzz a variety of targets including network protocol parsers, ActiveX/COM interfaces, file parsers, APIs, and web services. Students will also be introduced to new methods by which fuzzing can be utilized to locate security flaws not typically considered detectable by fuzzing, including N-tier applications.
On the second day, students will be exposed to the internals of Peach for a developer's perspective. The Peach architecture and module interfaces will be explained in great detail as to equip students with the skills necessary to extend and adapt Peach to their custom needs. Students will then develop their own Peach extensions in a lab environment to reinforce these concepts.
Upon completion of this course, students will be enabled to create effective fuzzers that target:
- State-aware network protocol parsers
- N-tier applications
- Arbitrary APIs
- File parsers
- COM and Active/X components
- Detect non-classic faults in software
- Extend the Peach Fuzzing Platform by creating custom Transformers, Generators, Publishers, and Monitors.
- Apply these concepts and tools to their unique environment
- Utilize parallel fuzzing to increase fuzzing efficiency
Trainer:
Michael Eddington is a Principal Security Consultant with Leviathan. Mike has over ten years experience in computer security, with expertise in application security, network security, and threat modeling. Mike's recent security testing and analysis work includes design review, penetration testing, and code review of pre-release operating system features and protocols; penetration testing and code review of a prominent ecommerce purchasing application; and penetration testing of a cross-browser, cross-platform plug-in for delivering next-generation media experiences and rich interactive applications for the Web. Prior to joining Leviathan Security Group, Michael started, ran, and grew the security services practice for one of the Pacific Northwest's most well-known security consultancies. Michael also co-founded the Security Services Center for Hewlett-Packard's services division, developing many of their security methodologies in addition to developing and delivering security training courses. Michael is also an accomplished software developer, having participated in a number of open-source security development projects ranging from threat modeling (e.g. the Trike threat modeling conceptual framework, see http://dymaxion.org/trike/) to fuzzing (e.g. The Peach Fuzzing Platform, http://peachfuzz.sourceforge.net/).
Blake Frantz, Principal Security Consultant at Leviathan, has over ten years of professional experience in information security, with a broad background ranging from software security research to enterprise policy development. Blake's recent security work includes contributions to the Peach Fuzzing Framework; design review, penetration testing, and code review of pre-release operating systems; development of security guidance for an e-voting application; and an asssessment of a large GIS deployment. Prior to Leviathan, Blake was a senior security engineer at Washington Mutual where he was responsible for leading vulnerability assessments of critical financial systems. Before WaMu, Blake was a senior security consultant for mc.net, one of greater Chicago's largest Internet providers, where he led security assessments of government municipalities, healthcare facilities, and financial institutions. He also established the organization's Managed Security Services program. Blake has authored and editied various papers and tools on the topics of reverse engineering, vulnerability discovery and exploitation for the Uninformed Journal, and is a contributor to the book Hacking Exposed: Windows, 3rd Edition released in December 2007.
|
Early: Ends May 1 |
Regular: |
Late: |
Late/Onsite: Begins August 1 |
|
$2200 USD |
$2400 USD |
$2600 USD |
$2900 USD |