We offer on-site and remote fuzz testing training for your developers taught by our founder, David Moore. Please watch a little of this video to check out his presentation style:
"CEO of Fuzz Stati0n, David Moore, gave a great presentation about fuzzing."
- Cisco Umbrella Blog
Fuzz testing is a highly effective means of finding security vulnerabilities – a new, easy to use and highly effective fuzzer called American Fuzzy Lop (AFL) has amassed an impressive trophy case and become very popular. In this training, David Moore will describe tools, tactics and techniques for fuzz testing with AFL and analyzing the resulting crashes with the goal of fixing the vulnerabilities.
The first section of the training will cover AFL and fuzzing basics, choosing a fuzz testing target, seed files and other important steps to a thorough fuzz run. Then a complete crash triage/root cause analysis workflow will be outlined including the use of corpus and test case minimizers, debuggers and reverse debuggers and automated memory analysis and crash triage tools such as Valgrind, Exploitable, and Address Sanitizer.
This training is suitable for anyone with some C / C++ programming experience and an interest in using fuzzers to find security vulnerabilities. Participants will learn how to effectively fuzz test applications and analyze, triage, and fix crashing cases.
Introduction -- 10:00-12:00Instructor Bio
[Break for lunch]
Pre-run Preparation -- 13:00-14:45What to fuzz
During the Fuzz Run -- 14:45-15:00Monitoring the fuzz run
Post Fuzz Run -- 15:00-16:30Discuss memory corruption bugs, exploitability, mitigations
Real World Examples (Time permitting) -- 16:30-16:45
Summary and References -- 16:45-17:00
Prerequisites: Some experience developing in C / C++ on Linux, basic familiarity with the gdb debugger. This is an intermediate level training.
Equipment needed: All students will supply a laptop running Linux or with Linux running in a VM.