The goal of this two-day course is to give software testers the skills and the tools they need to ensure that their end products are free of major vulnerabilities. The first day will introduce the concepts of black-box and white-box fuzzing to uncover software defects. Attendees will have the opportunity to work with two CERT-developed fuzzers, BFF and FOE, and apply these tools to compiled code in order to discover and prioritize potentially exploitable bugs. The second day of the course will present basic concepts of exploit writing, specifically stack-based overflows, structured exception handling, and Return-Oriented Programming (ROP). Attendees will then be presented with common defense mechanisms such as DEP and ASLR. Upon completion of this course, attendees will be able to execute their own fuzzing campaigns against target applications, and prioritize the risk of discovered defects to developers by demonstrating the exploitability of their findings.
Fuzzing Frameworks, with emphasis on black-box fuzz testing
The learning objectives are the following:
Basic programming experience in Java, C/C++, Perl or Python.
Attendees will need to bring their own laptops and should have VMWare workstation or other VM Player installed.
Students will receive a workbook and DVD with course slides and exercises.
This two-day course meets at the following times:
Days 1-2, 9:00 a.m.-4:30 p.m.
Please tell us what you
think with this short
(< 5 minute) survey.