Get Fuzzing Training

We offer on-site and remote fuzz testing training for your developers taught by our founder, David Moore. Please watch a little of this video to check out his presentation style:

"CEO of Fuzz Stati0n, David Moore, gave a great presentation about fuzzing."

- Cisco Umbrella Blog


Intro to Fuzz Testing with AFL - One Day Training

Fuzz testing is a highly effective means of finding security vulnerabilities – a new, easy to use and highly effective fuzzer called American Fuzzy Lop (AFL) has amassed an impressive trophy case and become very popular. In this training, David Moore will describe tools, tactics and techniques for fuzz testing with AFL and analyzing the resulting crashes with the goal of fixing the vulnerabilities.

The first section of the training will cover AFL and fuzzing basics, choosing a fuzz testing target, seed files and other important steps to a thorough fuzz run. Then a complete crash triage/root cause analysis workflow will be outlined including the use of corpus and test case minimizers, debuggers and reverse debuggers and automated memory analysis and crash triage tools such as Valgrind, Exploitable, and Address Sanitizer.

This training is suitable for anyone with some C / C++ programming experience and an interest in using fuzzers to find security vulnerabilities. Participants will learn how to effectively fuzz test applications and analyze, triage, and fix crashing cases.

Training Outline:

Introduction -- 10:00-12:00

Instructor Bio
Outline of training
What attendees will be able to do after the training
Introduction to AFL and how it works
[demo] Demo AFL
[exercise] Set up VMs on student machines and build AFL
[exercise] Build the instrumented target binary and run a simple fuzz test

[Break for lunch]

Pre-run Preparation -- 13:00-14:45

What to fuzz
Choosing a system to run a fuzz test
Choose a place for AFL fork server entry
Patch check sums for good testing coverage
Write a driver program if required
[demo] Setting the fork server entry point
[exercise] Do a fuzz run on patched target binary with fork server
Choosing seed files
[exercise] Do a fuzz run with a dictionary
Advanced AFL options
Handling problems and gotchas

During the Fuzz Run -- 14:45-15:00

Monitoring the fuzz run
When to stop the fuzz run

Post Fuzz Run -- 15:00-16:30

Discuss memory corruption bugs, exploitability, mitigations
Minimize corpus and individual cases
Run memory corruption diagnostic tools
[demo] Minimizers and Memory corruption diagnostic tools
[exercise] Run minimizers and diagnostic tools on crashes
Running debugger plugins: gdb-peda, rr
Determine exploitability/Find root cause of bug
[demo] Debugger plugins
[exercise] Run debugger plugins on crashes
Run address sanitizer on full corpus
Fix the crashes and re-fuzz
Run afl-cov to get a code coverage report
Run gnu-plot to generate charts
[demo] afl-cov, gnu-plot
[exercise] Run afl-cov, gnu-plot
Problems and gotchas (can't reproduce crash, etc)

Real World Examples (Time permitting) -- 16:30-16:45

Summary and References -- 16:45-17:00

Prerequisites: Some experience developing in C / C++ on Linux, basic familiarity with the gdb debugger. This is an intermediate level training.

Equipment needed: All students will supply a laptop running Linux or with Linux running in a VM.