TR17 Training: Fuzzing with American Fuzzy Lop, Address Sanitizer and LibFuzzer

This is a guest blog written by Hanno Böck who will be running the Fuzzing with American Fuzzy Lop, Address Sanitizer and LibFuzzer at TROOPERS17.

Fuzzing is a very old technique to find bugs and vulnerabilities in software. However it has seen a new push in recent years due to vastly improved tools. The compilers gcc and clang have received Sanitizer tools that allow finding a lot of bugs like use after free errors and out of bounds reads that are otherwise very hard to find.

In this training you will learn how to make use of these tools in order to create software that is more secure and has less bugs. We will first learn how to test simple command line applications with the tool American Fuzzy Lop or AFL. This fuzzer introduced the idea of coverage-based fuzzing, a technique that is much more effective than traditional fuzzing techniques. Further on we will cover the use of Address Sanitizer and LibFuzzer.

Attendees should bring their own laptop, which either runs a modern Linux distribution or is capable of running Linux in a virtual machine (a VM image can be provided). A brief understanding of compiling applications in Linux (tar, ./configure; make) and some very basic C knowledge is expected.

Further reading: Fuzzing with american fuzzy lop (article on Linux Weekly News) Tutorials from the Fuzzing Project

Don’t forget you can still register for TROOPERS17 with our Early Bird rate which expires December 31, 2016.

Have a great day!