TyphoonCon
  • About
    • About Us
    • Venue
    • Sponsors
    • Press
    • Code Of Conduct
    • Contact
    • COVID-19 Regulations
    • Past events
      • TyphoonCon 2022
      • TyphoonCon Capture The Flag 2021
      • TyphoonCon 2020
      • TyphoonPWN 2020
      • TyphoonCon 2019
  • Conference
    • 2023 Speakers
    • 2023 Conference Agenda
  • Training
    • Introduction to hard target internals
    • Attacking the Linux Kernel
    • Mastering Fuzzing
  • Competitions
    • TyphoonPWN
    • TyphoonCon CTF 2023
BUY TICKETS

“Discuss the underlying causes and potential impacts of these vulnerabilities,

as well as how to identify and address them through fuzzing”

About the trainer:

Hardik Shah (@hardik05) is an experienced cyber security professional with 17+ years of experience in the computer security industry. Currently works as a Principal Security Researcher at Vehere where he is responsible for analyzing latest threats, detecting them and product improvements. In the past he has worked with various security companies like Sophos, McAfee and Symantec, where he has built research teams from ground zero, handled various critical cyber threats to provide protection to customers, implemented various product features and has mentored many people. 

Hardik is also known for his skills in fuzzing and vulnerability discovery and analysis. He has discovered 35+ vulnerabilities in Microsoft and various open source software. He had conducted workshops at various industry leading cyber security conferences such as Defcon, Bsides, RSA dark arts,  and many others. Hardik enjoys analysing latest threats and figuring out ways to protect customers from them. 

Training overview:

A three-day training on fuzzing, a powerful technique for identifying vulnerabilities in software. This hands-on training will cover the theory and practical aspects of fuzzing, including coverage-guided fuzzing, basic blocks and binary instrumentation, corpus collection and minimization, target selection, crash triage and root cause analysis, and real-life CVE analysis. Attendees will have the opportunity to practice fuzzing on open source software and apply the concepts and techniques learned in the training. This training is suitable for attendees with a basic understanding of software development and testing. In this training, attendees will learn about the different types of vulnerabilities that can be found through fuzzing, including buffer overflows, heap overflows, integer overflows, use-after-free errors, and out-of-bounds read/write errors. We will discuss the underlying causes and potential impacts of these vulnerabilities, as well as how to identify and address them through fuzzing.In addition to coverage-guided fuzzing, we will also introduce other types of fuzzer, such as dumb fuzzers and mutation fuzzers, and discuss their benefits and limitations. Attendees will also learn how to use tools such as GDB and Crashwalk to debug and analyze crashes, and to perform root cause analysis to identify the underlying cause of vulnerabilities.

Training agenda:

Day 1:

• Introduction
• Different types of vulnerabilities
• Buffer overflow
• heap overflow
• integer overflow
• use after free
• out of bound read/Write
• Hands on: Manually identifying the vulnerabilities in sample C code.
• What is fuzzing?
• Fuzzing Process
• Different types of fuzzer
• dumb fuzzer
• mutation fuzzer
• coverage guided fuzzer.
• Basic blocks and code coverage
• Binary instrumentation
• Corpus collection
• Corpus minimization
• What is AFL and AFL++?
• How does it works?
• Fork server Vs persistent mode
• How to write harness for persistent mode
• Fuzzing Strategies
• Different Sanitizers
• ASAN
• UBSAN
• MSAN
• Using AFL
• How to compile and install AFL++
• How to compile Simple C program with AFL++
• Various compilation options for AFL++
• Fuzzing Simple C program using AFL++
· Fuzzing real world programs
• Fuzzing TCPDump
• Fuzzing libtiff

Day 2:

• Advanced Topics with AFL++
• Using HongFuzz
• Using LibFuzzer
• Hands on Fuzzing exercises
• Fuzzing ImageMagick
• Fuzzing libEMF
• Fuzzing libGD
• Fuzzing OpenSSL

Day 3:

• Root cause analysis and debugging using GDB
• Crash triaging using Crashwalk
• OSS-Fuzz introduction
• Firmware Fuzzing
• Q & A
• Conclusion

Student requirements:

  • Basic knowledge of C/C++ or any other programming language
  • Basic knowledge of debugging
  • Students should bring a laptop with at least 16gb ram and 80GB harddisk with virtual box or vmware or hyper-v installed.
  • The trainer will be sharing a preconfigured Linux VM which will contain all the needed tools and software for training.
BUY TICKETS
  • Facebook
  • Twitter
  • Linkedin
  • Email