• Français
  • English

Training | Gear up for binary fuzzing and reverse engineering

Fuzzing as a methodology has been an area of interest for generations of security researchers…

Synopsis

Fuzzing as a methodology has been an area of interest for generations of security researchers and has proved to be a very effective way to find vulnerabilities. Today, it is broadly used in various initiatives like OSS-Fuzz or Syzbot, helping open-source projects to detect bugs early on.

This training aims at providing trainees the concepts, methods and tools to deal with any real-life software. Through the use of LIEF, QBDI and Triton, we will explain how it is possible to achieve fast, smart and efficient fuzzing on closed-source targets.

Target Audience

Reverse engineers, software auditors/testers or any security researcher willing to understand the core concepts of binary fuzzing and applying them on any software.

Duration

4 days

Prerequisites

  • Basic skills in reverse-engineering (x86_64)
  • Basic skills in Python and C/C++

Objectives

  • To provide trainees the methodology, knowledge and means to achieve efficient fuzzing on real-life software;
  • To prepare trainees to tackle the challenges that fuzzing raises (exotic targets, no source code, etc.);
  • To provide trainees the understanding on how to build and use their own tools when necessary.

Modules

Day 1 - Introduction to Vulnerability Research and Fuzzing

 

Introduction to Software Testing and Vulnerability Research

  • Introduction to Vulnerability Research
  • Automated Software Testing

 

Fuzzing Concepts & Methodology

  • Introduction & Basic Concepts
  • Fuzzing Workflow & Methodology
  • Input Generation & Mutations
  • Corpus Management
  • Harnessing

 

Feedback-Driven Fuzzing

  • Existing Fuzzers
  • Sanitizers
  • Analyzing Results

 

Getting Further

  • System Optimizations
  • Dictionaries
  • Compare-Log
  • Hard Targets

 

Day 2 - Binary Fuzzing with Instrumentation

Binary Instrumentation

  • Introduction
  • Dynamic Binary Tracing
  • Static Binary Rewriting

 

Dynamic Instrumentation with QBDI

  • Understanding DBI
  • QBDI
  • QBDI Bindings
  • Harnessing at Binary Level

 

Honggfuzz + QBDI

  • Understanding Honggfuzz Internals
  • Honggfuzz/QBDI

 

Optimization: Be Faster

  • DBI Instrumentation Tuning
  • DBI-based Fork Server
  • DBI Caching Mechanism
  • DBI Persistence


Optimization: Be Smarter

  • Comparison Breaking
  • Function Interposition
  • Dislocator

Day 3 - Binary Fuzzing via Emulation

  • Binary Emulation
  • User-land Fuzzing with AFL++/QEMU
  • Low-level Fuzzing with AFL++/Unicorn

Day 4 - Advanced Fuzzing with Symbolic Execution

Introduction to Symbolic Execution

  • Symbolic Execution
  • Dynamic Symbolic Execution
  • Triton in Brief
  • Introduction to TritonDSE

 

Concrete Emulation with a DSE

  • Initial State
  • Input Injection
  • Execution & Hooks

SMT Solving & Symbolic Exploration

  • SMT Basic Concepts & Theories
  • SMTLIB
  • Theories
  • Usage of SMT for Reverse Engineering
  • Symbolic Exploration

Symbolic Queries

  • Encoding Queries
  • Custom Sanitizers Probes

Ensemble Fuzzing