bug hunting for normal people

Presented at May Contain Hackers (MCH2022), July 23, 2022, noon (50 minutes).

A series of isolated problems encountered when attempting to fuzz software, in this case Adobe Reader (DC), and hackish solutions to said problems. Constructing a fuzzing pipeline capable of finding real bugs by stringing together freely available tools creating the bare minimum of glue.

Starting from target selection, moving over requirements for a given fuzzing campaign to smart input generation, briefly touching on scaling challenges and performance issues. This presentation describes a practical approach to creating a fuzzing pipeline with the purpose of finding real world bugs in closed source software, in this case Adobe Reader (dc). The approach taken is suitable for anyone with basic scripting capabilities, is easy to replicate, and leads to bug hunting capabilities without a doctoral degree or years of experience in vulnerability discovery.


Presenters:

  • knud
    Knud does computer stuff and likes hunting for bugs in assorted systems. When not bughunting he has an impressive track record of getting hurt doing physical activities; he has managed to find vulnerabilities in his own system in activities as diverse as paintball, skydiving and snowboarding.

Links:

Similar Presentations: