Finding security Vulnerabilities through Fuzzing by Hardik Shah at DEF CON 29

Prerequisites for students?:
Basic knowledge of C,C++, basics knowledge of linux and windows.

Materials or Equipment students will need to bring to participate?:
A laptop with atlease 16GB RAM, min 4 core processor, virtualbox or vmware with windows and kali linux VMs. windbg and visual studio installed.
I will be sharing a prerequisite document so that attendees can prepare their VMs in advance.

What level of skill is required for your targeted audience (Beginner/Intermediate/Advanced)?:
Beginner.

Abstract
Many people are interested in finding vulnerabilities but don't know where to start. This workshop is aimed at providing details on how to use fuzzing to find software vulnerabilities. We will discuss what is fuzzing, different types of fuzzers and how to use them.

This training will start with a basic introduction to different types of vulnerabilities which are very common in softwares. Later on during the training we will first start with fuzzing a simple C program which contains these vulnerabilities. After that we will see how we fuzz real world open source softwares using fuzzers like AFL,WinAFL,libfuzzer and honggfuzz etc.

This talk will also provide details on how does AFL/WinAFL works, what are the different mutation strategies it uses. basics of compile time instrumentation, how to collect corpus for fuzzing and how to minimize it,crash triage and finding root cause.

Key takeaways from this workshop will be:

1. Understanding of common types of security vulnerabilities like buffer overflow/heap overflow/use after free/double free/Out of bound read/write/memory leaks etc.
2. Understanding of how to use various fuzzers like AFL,LibFuzzer, Hongfuzz, Winafl etc.
3. How to fuzz various open source and closed source softwares on linux and windows.
4. How to do basic debugging to find the root cause of vulnerabilities for linux and windows.
5. How to write secure software by having an understanding of common types of vulnerabilities.

Trainer Bio(s)
Hardik Shah is an experienced security researcher and technology evangelist. He is currently working with McAfee as a vulnerability researcher. Hardik has found many vulnerabilities in windows and other open source software. He currently has around 30+ CVEs in his name. He was also MSRC most valuable researcher for year 2019 and top contributing researcher for MSRC Q1 2020. Hardik enjoys analysing latest threats and figuring out ways to protect customers from them.
You can follow him on twitter @hardik05 and read some of his blogs here: https://www.mcafee.com/blogs/author/hardik-shah