Training | Gear up for binary fuzzing and reverse engineering

SYNOPSIS

Fuzzing as a methodology has been an area of interest for generations of security researchers, and has proved to be a very effective way to find vulnerabilities. It is today broadly used in various initiatives like OSS-Fuzz or syzbot to help open-source projects detect bugs early on. Things are more tedious when auditing close source binaries. However, they represent very interesting targets, widely found in all major operating systems and where fewer eyes often means more bugs. Good news is: combining public research, projects and homemade tools, we can achieve smart and efficient fuzzing on them.

This training aims to provide the student the concepts, methods and tools to deal with any real-life software. Through the use of LIEF, QBDI and Triton, we will explain how one can achieve fast, smart and efficient fuzzing on closed-source targets.

TARGET AUDIENCE

• Reverse engineers and vulnerability researchers who want to get the proper means to hunt bugs through fuzzing.

DURATION

• 5 Days

PREREQUISITES

• Basic reverse-engineering skills (x86_64)
• Basic skills in Python and C/C++

OBJECTIVES

• Give the student the methodology, knowledge and means to achieve efficient fuzzing on real-life software.
• Be able to face the challenges that fuzzing throws in your way (exotic targets, no source code, etc.).
• Understand how to build and use your own tools when necessary.

MODULES

DAY 1 – Introduction to vulnerability research and fuzzing

• Introduction to vulnerability research
  • Code review
  • Reverse engineering
  • Fuzzing

• Introduction to fuzzing
  • How?
    • Requirements
    • Methodology
      • Target analysis
      • Attack surface
    • Setup
    • Corpus management
    • Monitoring
    • Crash triaging
  • What?
    • Common tools
    • Practical work: basic vulnerability discovery
    • Limits
      • Hard to reach / detect bugs
      • Inappropriate targets
    • Practical work: complex software, non-trivial bugs
      • Target adaptation
      • Memory sanitizers

DAY 2 – Instrumentation for advanced fuzzing

• Static instrumentation
  • Work with binary formats
  • Practical work: patch/modify/instrument binaries with LIEF

• Dynamic instrumentation
  • Introduction and concepts
    • Hot-patching
    • Hooking
    • Frida
  • DBI
    • Tools and techniques
    • QBDI
    • Practical work: execute functions with QBDI
  • A DBI for binaries fuzzing?
    • Practical work: profiling the execution with QBDI

DAY 3 – Practical modern fuzzing with AFL/QBDI

• Fuzzing close source binaries with AFL/QBDI
  • Merging AFL and QBDI
  • Practical work: finding vulnerabilities using AFL/QBDI

• Be faster: optimizing binaries fuzzing
  • Common fuzzing concepts
  • DBI optimizations

• Be smarter: when fast is not enough…
  • Hard to reach bugs (magic bytes, …)
  • Practical work: smart(er) fuzzing with AFL/QBDI
  • Introduction to constraints solving

DAY 4 – Program analysis with advanced concepts

• Introduction to SMT solvers for a reverse engineering usage
  • Basic concepts and common tools
  • The SMTLib language
  • Practical work: usage of Z3 for reverse engineering goals

• Introduction to symbolic execution
  • Static symbolic execution
  • Dynamic symbolic execution (also called concolic execution)
  • Commons tools

• Introduction of Triton
  • Introducing internal concepts
    • Concrete and symbolic reasoning
    • Taint analysis
    • Constraints solving
  • Introducing internal optimizations
    • Taint-based symbolic execution
    • Arithmetical and memory optimizations
    • Custom optimizations
  • Practical work: play with Triton and its Python API

DAY 5 – Program analysis in practice

• Practical use of Triton
  • Practical work:
    • Usage of Triton into IDA
    • Usage of Triton to detect opaque predicates
    • Usage of Triton for attacking virtual machine based software protections

• Developing advanced tools
  • Practical work:
    • Usage of Triton for paths exploration
    • Usage of Triton combined with DBI tools