bug hunting for normal people

Presented at May Contain Hackers (MCH2022), July 23, 2022, noon (50 minutes)

A series of isolated problems encountered when attempting to fuzz software, in this case Adobe Reader (DC), and hackish solutions to said problems. Constructing a fuzzing pipeline capable of finding real bugs by stringing together freely available tools creating the bare minimum of glue.

Starting from target selection, moving over requirements for a given fuzzing campaign to smart input generation, briefly touching on scaling challenges and performance issues. This presentation describes a practical approach to creating a fuzzing pipeline with the purpose of finding real world bugs in closed source software, in this case Adobe Reader (dc). The approach taken is suitable for anyone with basic scripting capabilities, is easy to replicate, and leads to bug hunting capabilities without a doctoral degree or years of experience in vulnerability discovery.

Presenters:

• knud
  Knud does computer stuff and likes hunting for bugs in assorted systems. When not bughunting he has an impressive track record of getting hurt doing physical activities; he has managed to find vulnerabilities in his own system in activities as diverse as paintball, skydiving and snowboarding.

Links:

• https://program.mch2022.org/mch2021-2020/talk/HVQDNE/

Similar Presentations:

• Black Hat Europe 2016 / Effective File Format Fuzzing – Thoughts, Techniques and Results
• Diana Initiative 2022 / Fuzzing: A Must Have in Your Bug Hunting Arsenal
• BruCON 0x0A (2018) / Finding security vulnerabilities with modern fuzzing techniques Workshop