Fuzzing for C++ Developers is a one-day training course with programming examples taught by David Brumley and Thanassis Avgerinos. It is offered onsite at the Gaylord Rockies from 09:00 to 17:00 on Saturday, October 30th, 2021 (immediately following to the conference). Lunch is included.
Ever wanted to automate writing security and functional tests? Fuzzing can help! Fuzzing helps you find crashes, hangs, and security errors. It can also grow your functional test coverage automatically. Indeed, the 2021 CPP developer survey reports 37% of developers are now using fuzzing.
In this class, we’ll provide you with hands-on instruction and labs for getting started with fuzzing. Briefly, the course will cover:
- An overview of basic types of program analysis, and where fuzzing fits in.
- Open source fuzzing using AFL and libfuzzer.
- A pragmatic approach to writing fuzz test harnesses.
- How to automate fuzzing within your pipeline.
- On-site labs where you get to reproduce famous bugs and vulnerabilities (that have previously been responsibly disclosed and fixed), including heartbleed and the DNS bug on Tesla cars.
Attendees must be able to write C/C++. Advanced programming is not required. Attendees must have their own computer, be able to run Docker (labs will be dockerized), and be able to use the Linux CLI.
- Overview of the big four in program analysis: static analysis, SCA, DAST/IAST, and fuzzing. This provides a conceptual framework to understand where fuzzing fits in.
- Introduction to AFL and libfuzzer
- First lab using AFL and libfuzzer.
- Second lab: reproducing heartbleed (quick and fun!)
- Introduction to harnessing apps
- Third lab: harnessing tinyxml2 to find flaws.
- Automate fuzzing within your pipeline.
- Fourth lab: harnessing the tesla hack.