1. InfoconDB
  2. DEF CON
  3. DEF CON 30 (2022)
  4. Finding Security Vulnerabilities Through Fuzzing

Finding Security Vulnerabilities Through Fuzzing

Presented at DEF CON 30 (2022), Aug. 12, 2022, 9 a.m. (240 minutes)

Many people are interested in finding vulnerabilities but don't know where to start. This workshop is aimed at providing details on how to use fuzzing to find software vulnerabilities. We will discuss what is fuzzing, different types of fuzzers and how to use them. This training will start with a basic introduction to different types of vulnerabilities which are very common in softwares. Later on during the training we will first start with fuzzing a simple C program which contains these vulnerabilities. After that we will see how we fuzz real world open source softwares using fuzzers like AFL,libfuzzer and honggfuzz etc. This talk will also provide details on how AFL works, what are the different mutation strategies it uses. basics of compile time instrumentation, how to collect corpus for fuzzing and how to minimize it,crash triage and finding root cause. Key takeaways from this workshop will be: 1. Understanding of common types of security vulnerabilities like buffer overflow/heap overflow/use after free/double free/Out of bound read/write/memory leaks etc. 2. Understanding how to use various fuzzers like AFL,LibFuzzer, Hongfuzz etc. 3. How to fuzz various open source softwares on linux. 4. How to do basic debugging to find the root cause of vulnerabilities for linux. 5. How to write secure software by having an understanding of common types of vulnerabilities. Materials: A laptop with at least 16GB RAM, min 4 core processor, virtualbox or vmware. I will be sharing a linux VM based on kali which will have all the tools required for the workshop. Prereq: Basic knowledge of C,C++, basic knowledge of linux and windows.

Presenters:

  • Hardik Shah - Security Researcher
    Hardik Shah is an experienced security researcher and technology evangelist. He is currently working with Sophos as a Principal Threat Researcher. Hardik has found many vulnerabilities in windows and other open source software. He currently has around 30+ CVEs in his name. He was also MSRC most valuable researcher for year 2019 and top contributing researcher for MSRC Q1 2020. Hardik enjoys analysing latest threats and figuring out ways to protect customers from them. You can follow him on twitter @hardik05 and read some of his blogs here: https://news.sophos.com/en-us/author/hardik-shah/ https://www.mcafee.com/blogs/author/hardik-shah

Similar Presentations: