Presented at
CanSecWest 2024,
March 22, 2024, 2 p.m.
(60 minutes).
While AFL, libfuzzer and their derivates are mighty tools to discover bugs, they are still very complex, which requires a certain learning curve prior successful usage. Also memory or other restrictions may prevent usage in all scenarios.
In our talk we present our approach to apply low-tech fuzzing to pursue bug finding in high profile software products. For example well-chosen corpus computed ahead of time can be as powerful as collecting coverage data while fuzzing. Also threshold information such as meta-data tipping points can allow to fine tune bug hunting campaigns. Which means the applied techniques can be supplemental, and by replacing one with the other, bugs would still be found, while aiming for simplicity in the harness setup
To back up this claim we present the workflow steps towards finding several of our findings, most prominently CVEs in OpenSSL and in the cryptography code of nodeJS.
The talk starts from a theoretical background towards a step-by-step guidance building your own low-tech fuzzing tool setup.
From a practical end, the necessary tool usage steps are shown via demos in a (Ubuntu 22) Linux context. The audience may benefit from this to jumpstart their own discoveries.
Presenters:
-
Marc Schoenefeld
Examples of his work can be found on the VoidStar Security research blog, Wrongbaud's blog, and the numerous articles and courses published at Hackaday
Links:
Similar Presentations: