Skip to content
main
Switch branches/tags
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time

Fuzzing-101

Do you want to learn how to fuzz like a real expert, but don't know how to start?

If so, this is the course for you!

10 real targets, 10 exercises. Are you able to solve all 10?

Structure

Exercise No. Target CVEs to find Time estimated Main topics
Exercise 1 Xpdf CVE-2019-13288 120 mins Afl-clang-fast, Afl-fuzz, GDB
Exercise 2 libexif CVE-2009-3895, CVE-2012-2836 6 hours Afl-clang-lto, Fuzz libraries, Eclipse IDE
Exercise 3 TCPdump CVE-2017-13028 4 hours ASan
Exercise 4 LibTIFF CVE-2016-9297 3 hours Code coverage, LCOV
Exercise 5 Libxml2 CVE-2017-9048 3 hours Dictionaries, Basic parallelization, Fuzzing command-line arguments
Exercise 6 GIMP CVE-2016-4994, Bonus bugs 7 hours Persistent fuzzing
Exercise 7 VLC media player CVE-2019-14776 6 hours Partial instrumentation, Fuzzing harness
Exercise 8 Adobe Reader 8 hours Fuzzing closed-source applications, QEMU instrumentation
Exercise 9 7-Zip CVE-2016-2334 8 hours WinAFL, Fuzzing Windows Applications
Exercise 10 will be released soon

Changelog

  • 11/25/2021: Exercise 3 updated with some fixes.

Who is the course intended for?

  • Anyone wishing to learn fuzzing basics
  • Anyone who wants to learn how to find vulnerabilities in real software projects.

Requirements

  • All you need for this course is a running Linux system with an internet connection. You will find a suitable VMware image in the exercises.
  • At least basic Linux skills are highly recommended.
  • All the exercises have been tested on Ubuntu 20.04.2 LTS. You can download it from here
  • In this course we're going to use AFL++, a newer and superior fork of Michał "lcamtuf" Zalewski's AFL, for solving the fuzzing exercises.

What is fuzzing?

Fuzz testing (or fuzzing) is an automated software testing technique that is based on feeding the program with random/mutated input values and monitoring it for exceptions/crashes.

AFL, libFuzzer and HonggFuzz are three of the most successful fuzzers when it comes to real world applications. All three are examples of Coverage-guided evolutionary fuzzers.

Coverage-guided evolutionary fuzzer

  • Evolutionary: is a metaheuristic approach inspired by evolutionary algorithms, which basically consists in the evolution and mutation of the initial subset (seeds) over time, by using a selection criteria (ex. coverage).

  • Coverage-guided: To increase the chance of finding new crashes, coverage-guided fuzzers gather and compare code coverage data between different inputs (usually through instrumentation) and pick those inputs which lead to new execution paths.

Simplification of the coverage gathering process of a coverage-guided evolutionary fuzzer

Thanks

Thanks for their help:

Contact

Are you stuck and looking for help? Do you have suggestions for making this course better or just positive feedback so that we can create more fuzzing content? Do you want to share your fuzzing experience with the community? Join the GitHub Security Lab Slack and head to the #fuzzing channel. Request an invite to the GitHub Security Lab Slack

About

A GitHub Security Lab initiative https://securitylab.github.com/

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published