Using Next Generation Fuzzing Tools: Fixing Bugs and Writing Memory Corruption Exploits

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 6, 2019, 1 p.m. (45 minutes).

The process of fuzzing has changed, from multation, to frameworks, to the constraint solving (CS) and genetic algorithms (GA) of today. While pre-written suites and custom one-offs can be great, GAs (AFL/Clusterfuzz) and CS (Sage/MSRD) often do the best - and we’ll drop serious vulns in this talk to prove it. These tools are paired best with scale - fuzzing-as-a-service (FaaS). It’s time to exposure your code before attackers do. But it’s still not a perfectly simple endeavor. We will explain harnesses; how to pick seeds; which portions of the app to target, CI/CD, and much more. We’ll look at an exciting, new DAST tool: microsoftsecurityriskdetection.com. From there we’ll teach you how to turn the bugs into fixes, or exploits. Excitingly, you'll learn how to write 0day from results.


Presenters:

  • John Stigerwalt
    John Stigerwalt, OSCE, OSCP, SLAE - experienced in pentesting, application auditing, exploit development, and reverse engineering. John has spent years protecting organizations from evolving threats, and is very passionate about improving organizations security.
  • Dr. Jared DeMott
    Dr. Jared DeMott is the Founder of VDA Labs. He previously served as a vulnerability analyst with the NSA. He was a finalist in Microsoft’s BlueHat prize contest. He has been on three winning Defcon capture-the-flag teams, an invited lecturer at prestigious institutions, is a Pluralsight author, and is often interviewed by Media.

Links:

Similar Presentations: