- About Goa'14
- Schedule
- Venue
- Speakers
- Training
- CFP
- Recreation
- Blackshield Awards
- CTF
- AMMO
- Sponsors
- Exhibition
- Job Fair
- Goa'14
- Training
- Xtreme Fuzzing
Trainer Name: Michael Eddington
Title: Xtreme Fuzzing
Duration: 1 Day
Date: 13th February 2014
Abstract
Fuzzing is the technique of finding flaws and vulnerabilities in solutions through the mutation of data. This technique is a preferred way of both defenders and attackers to discover vulnerabilities in a system. The Peach Fuzzing Framework is the most widely used fuzzing system. Researchers, corporations, and governments use Peach to find vulnerabilities in systems. Peach was designed to fuzz any type of data consumer from servers to embedded systems. Peach is a cross platform system running on Windows, Linux, and OS X. This class will focus on the latest release of Peach 3.
You will learn to create both dumb and smart fuzzers and apply these concepts and tools to their unique environment. The course is designed to be student-centric and practically applicable. The Peach Fuzzing Framework is introduced from a practitioner's perspective. You will learn how to use Peach to fuzz a variety of targets including network clients & servers, file consumers, and API interfaces such as COM. Upon completion of the course you will be able to:
- Understand the core concepts of fuzzing
- Use Peach to create dumb fuzzers
- Use Peach to create smart fuzzers
- Target Peach to fuzz a variety of different data consumers
Course Content
Day 1
Introduction
How fuzzers work
- Dumb fuzzing
- Smart fuzzing
- Memory debuggers
Bugs found
Use cases
Introduction to Peach
- Peach Fuzz Bang
Peach Components
Peach Pit Files
- General
- Data Modeling
- Analyzersg
- State Modeling
- Data Sets
- Publishers
- Test Definitions
Mutations and Mutation Strategies
Advanced Peach Pits
- Fixups
- Transformers
Peach Validator
Peach Agents and Monitors
Q&A
Requirements
- Ability to read/write basic XML
- Basic usage of Wireshark
- Reading specifications written in English (RFCs, etc.)
- Coding experience a plus but not required
What Students Should Bring
Students must provide a modern laptop (dual core minimum) with a minimum of 2GB RAM and 30GB free disk with vmware player (or similar) pre-installed.
Instructor Bio
Michael Eddington is the Chief Technical Officer at Déjà vu Security LLC and its Principal Consultant. He has over ten years of experience in providing security services to Fortune 500 companies in the US. Michael is a recognized thought leader in the fields of application security, network security, threat modeling, and fuzz testing. He routinely speaks and provides training at the top security conferences including Blackhat, CanSecWest and RSA. Michael is a passionate leader in the open-source security development community, contributing to projects including Trike (Threat Modeling), Outlook Privacy plug-in, and Peach Fuzz. Michael is the creator of the widely used Peach Fuzzing framework which is used by many top technology companies to find complex security vulnerabilities. His current research efforts are pushing security vulnerability testing and fuzzing to the next level with innovative tools and techniques.