Training Duration: 3 Days
Three days training covers topics of Windows & Linux vulnerability analysis and fuzzing that includes analysis of various bug classes, fuzzing strategies, fuzzing on modern Operating Systems and approaches to exploit development. The training will only focus on fuzzing and triaging crashes which include analysis of the vulnerability to identify potential vulnerability that can turn to code execution covering open and closed source programs. This training will help you to explore the fun of fuzzing and best for entry level to intermediate.
Day 1 – Understanding Vulnerability & Reverse Engineering
Introduction to vulnerability and the affected programming language (C / C++) covering various bug classes. There will be refreshments (basic) of x86 reverse engineering and we will look into different perspectives and understand quickly how to identify bugs without source code. An introduction to Fuzzing will be covered as well along with famous tools that exist out there. We will be covering assisting tools that will help to speed up the analysis.
Day 2 – Fuzzing Windows and Linux
We will be performing fuzzing on both Windows and Linux environments to understand how fuzzing works on different platforms. We will focus on file format fuzzing most of the time and targeting real world applications. Of course there will be reverse engineering processes involved during the initial process of fuzzing, this more towards Windows environment. In Linux, we will be looking at the source code to identify candidates to fuzz. This fun will take the whole day just to find bugs. We will include a process of triaging vulnerability analyses of the findings to determine the level of exploitability. Basically more hands-on and exercises.
Day 3 – Fuzzing Real World Applications
In Day 3, we are looking into more real world applications (that we can cover) to fuzz. Triaging vulnerability based on the fuzzing results and identify the exploitability of the program. More reverse engineering processes and fuzzing. We are going to use CVEs that we have found in the past and have been reported to vendors. More hands-on and exercises. We will teach how to properly write a report and ethically disclose the vulnerability to vendors.
- Have found their own 0-day vulnerability and ethically disclosed it
- Know how to identify software flaws discovered through fuzzing via binary and source code
● Basic reverse engineering
● Basic scripting / programming (e.g. Python, Perl, Bash, etc.)
● Experience with Windows / Linux compiler
● Software debugging
- VMWare Player or Fusion or Workstation
- 60GB of disk space
- 8GB RAM (minimum set of 4GB of RAM for VM)