Fuzzing continues to be the fastest way to find security issues and test for bugs. Effective Hardware Fuzzing with Peach will introduce students to the fundamentals of device fuzzing. Peach was designed to fuzz any type of data consumer from servers to embedded devices. Researchers, corporations, and governments already use Peach to find vulnerabilities in hardware. This course will focus on using Peach to target embedded devices and collect information from the device in the event of a crash. Students that take this course will be able to interface or extend Peach to fuzz their own hardware platforms.
The course is designed to be student-centric, hands-on, and lab intensive. On day one you will learn to bridge the Peach Fuzzing Framework to target hardware. You will learn how to use Peach to fuzz the variety of targets, buses, and protocols an embedded device can present. On the second day you learn how to collect feedback from behind the silicon curtain and extend Peach to fit your custom hardware targets.
Penetration testersSecurity engineer with hardware or mobile focusEmbedded device/mobile device engineers
Fuzzing Experience, Some Hardware Experience
Modern Laptop capable of running VMWare, with a minimum 20 GB free disk, 1GB RAM (2GB RAM recommended), 2 USB Ports, Ethernet jack, VMWare Player (free)
Printed Slides and Lab MaterialsUSB stick with course material and image
Adam Cecchetti is a founding partner, consultant, and security researcher at Déjà vu Security. Adam specializes in application and hardware penetration testing. Adam has over 10 years of professional penetration testing experience and is a contributing author to multiple security books, benchmarks, tools, and research projects. Adam holds a master's degree from Carnegie Mellon University in Electrical and Computer Engineering. He has been leading application penetration tests, hardware reverse engineering, code and design reviews for the Fortune 500 for the last decade. Adam's research is currently heavily focused on hardware fuzzing and automated exploitation analysis.