PACSEC 2020 DOJO
Rust Security Audit and Fuzzing
Instructor: Patrick Ventuzelo
November 19 - 20, 8am - 12:30pm PST
Patrick Ventuzelo
Patrick Ventuzelo is a French Independent Security Researcher specialized in fuzzing, vulnerability research, reverse engineering and program analysis on WebAssembly, Rust and Golang targets.
Patrick is the author of Octopus, an open-source security analysis tool for WebAssembly and Blockchain smart contracts bytecode. He also develop WARF, an open-source fuzzing project to find bugs inside WebAssembly VMs/runtimes/parsers using multiple fuzzing techniques.
Previously, he worked for Quoscient GmbH, P1Security, the French Department Of Defense and Airbus D&S Cybersecurity.
Patrick is a regular speaker and trainer at various security conferences around the globe, including RingZer0, REcon Montreal/Brussels, ToorCon, hack.lu, NorthSec, SSTIC, FIRST, Microsoft DCC, BlackAlps, etc.
Course Schedule
November 19-20, 8am - 12:30pm PST
Course Abstract
Rust is a strongly typed and safe systems programming language developed by Mozilla. Recently, it has become the language of choice to build memory-safe programs while maintaining high performance at scale. Mostly, Rust is used for files format and protocols parsers but also on critical projects like in the new high-performance browser engine, Servo.
However, coding using memory-safe language doesnβt mean the code will be free of bugs. Different kinds of vulnerabilities like integer overflows, OOM, DoS, UaF, OOB, etc. can still be found and sometime exploited to achieve remote code execution (RCE).
This course will give you all the prerequisites to understand which kind of vulnerability can be found inside Rust code. You will learn how to find low hanging fruits bugs manually and automatically using Rust auditing tools. Finally, you will discover how to build custom Rust fuzzers, triage/debug crashes and improve your code coverage using different techniques.
This training offers participants multiple hands-on exercises allowing them to internalize concepts and techniques taught in class.
Course Pre-requisites
Familiarity with Linux.
Familiarity with Rust programming.
Course Learning Objectives
Discover how Rust security mechanism works.
Identify and reproduce vulnerabilities to learn how to detect them in the future.
Evaluate security of real-life crate packages using code review.
Detect unsafe memory issues using different sanitizing tools.
Learn the different steps in the fuzzing workflow and how to improve it.
Write fuzzing harnesses for real-world public libraries using coverage-guided fuzzers.
Generate custom inputs/corpora using structure-aware and grammar-based fuzzing
Implement differential fuzzing to find logic bugs.
Create different fuzzing hardnesses for popular file and text format parsers.
Who Should Attend
This class is meant for everyone that wants to understand deeper how Rust security works and how to find bugs in Rust code. This course is suitable for people that are new to Rust. All the theory and concepts about Rust security, vulnerability research and fuzzing will be explained during the course.
Course Agenda
Day 1: Basis of Rust Security Audit
Introduction to Rust and its Ecosystem
Security concepts, Ownership, Borrowing and Lifetime
Rust most common vulnerabilities
Error handling & Unwrapping, Panicking macros, Arithmetic errors
Index out of bound, Stack overflow, resource exhaustion (OOM)
Unsafe codes
Tooling and Sanitizers (ASAN, MSAN, etc.)
Out of bound access (OOB), Use-after-free (UAF), Double free, Memory leak, Data Races and Race Conditions
Rust advanced vulnerabilities
Logic bugs, FFI, Cryptographic issues, Uninitialized & Zeroing memory
Attack surface discovery & Auditing tools
Day 2: Finding Bugs using Fuzzing
Fuzzing workflow and Corpus selection
Coverage-guided Fuzzing in Rust
cargo-fuzz, afl-rs, honggfuzz-rs
Code coverage, Corpus minimization
Crashes Triaging and Debugging
Structure-aware & Grammar-based Fuzzing
Other Advanced Testing techniques
Differential Fuzzing
Writing Custom Rust Fuzzers.
Hardware Requirements
A working laptop capable of running virtual machines.
4GB RAM required, at a minimum. 40 GB free Hard disk space.
Software Requirements
VirtualBox
Administrator / root access required.
Included Course Materials
Course materials in PDFs
Virtual machine image
All required additional files: source code, documentation, installation binaries