PACSEC 2020 DOJO

Rust Security Audit and Fuzzing

Instructor: Patrick Ventuzelo
November 19 - 20, 8am - 12:30pm PST

patrick2500.jpg
 

Patrick Ventuzelo

Patrick Ventuzelo is a French Independent Security Researcher specialized in fuzzing, vulnerability research, reverse engineering and program analysis on WebAssembly, Rust and Golang targets.

Patrick is the author of Octopus, an open-source security analysis tool for WebAssembly and Blockchain smart contracts bytecode. He also develop WARF, an open-source fuzzing project to find bugs inside WebAssembly VMs/runtimes/parsers using multiple fuzzing techniques.

Previously, he worked for Quoscient GmbH, P1Security, the French Department Of Defense and Airbus D&S Cybersecurity.

Patrick is a regular speaker and trainer at various security conferences around the globe, including RingZer0, REcon Montreal/Brussels, ToorCon, hack.lu, NorthSec, SSTIC, FIRST, Microsoft DCC, BlackAlps, etc.

 

Course Schedule

November 19-20, 8am - 12:30pm PST


Course Abstract

Rust is a strongly typed and safe systems programming language developed by Mozilla. Recently, it has become the language of choice to build memory-safe programs while maintaining high performance at scale. Mostly, Rust is used for files format and protocols parsers but also on critical projects like in the new high-performance browser engine, Servo.

However, coding using memory-safe language doesn’t mean the code will be free of bugs. Different kinds of vulnerabilities like integer overflows, OOM, DoS, UaF, OOB, etc. can still be found and sometime exploited to achieve remote code execution (RCE).

This course will give you all the prerequisites to understand which kind of vulnerability can be found inside Rust code. You will learn how to find low hanging fruits bugs manually and automatically using Rust auditing tools. Finally, you will discover how to build custom Rust fuzzers, triage/debug crashes and improve your code coverage using different techniques.

This training offers participants multiple hands-on exercises allowing them to internalize concepts and techniques taught in class.

Course Pre-requisites

  • Familiarity with Linux.

  • Familiarity with Rust programming.

Course Learning Objectives

  • Discover how Rust security mechanism works.

  • Identify and reproduce vulnerabilities to learn how to detect them in the future.

  • Evaluate security of real-life crate packages using code review.

  • Detect unsafe memory issues using different sanitizing tools.

  • Learn the different steps in the fuzzing workflow and how to improve it.

  • Write fuzzing harnesses for real-world public libraries using coverage-guided fuzzers.

  • Generate custom inputs/corpora using structure-aware and grammar-based fuzzing

  • Implement differential fuzzing to find logic bugs.

  • Create different fuzzing hardnesses for popular file and text format parsers.

Who Should Attend

This class is meant for everyone that wants to understand deeper how Rust security works and how to find bugs in Rust code. This course is suitable for people that are new to Rust. All the theory and concepts about Rust security, vulnerability research and fuzzing will be explained during the course.

Course Agenda

Day 1: Basis of Rust Security Audit

  • Introduction to Rust and its Ecosystem

  • Security concepts, Ownership, Borrowing and Lifetime

  • Rust most common vulnerabilities

  • Error handling & Unwrapping, Panicking macros, Arithmetic errors

  • Index out of bound, Stack overflow, resource exhaustion (OOM)

  • Unsafe codes

  • Tooling and Sanitizers (ASAN, MSAN, etc.)

  • Out of bound access (OOB), Use-after-free (UAF), Double free, Memory leak, Data Races and Race Conditions

  • Rust advanced vulnerabilities

  • Logic bugs, FFI, Cryptographic issues, Uninitialized & Zeroing memory

  • Attack surface discovery & Auditing tools


Day 2: Finding Bugs using Fuzzing

  • Fuzzing workflow and Corpus selection

  • Coverage-guided Fuzzing in Rust

  • cargo-fuzz, afl-rs, honggfuzz-rs

  • Code coverage, Corpus minimization

  • Crashes Triaging and Debugging

  • Structure-aware & Grammar-based Fuzzing

  • Other Advanced Testing techniques

  • Differential Fuzzing

  • Writing Custom Rust Fuzzers.

Hardware Requirements

  • A working laptop capable of running virtual machines.

  • 4GB RAM required, at a minimum. 40 GB free Hard disk space.

Software Requirements

  • VirtualBox

  • Administrator / root access required.

Included Course Materials

  • Course materials in PDFs

  • Virtual machine image

  • All required additional files: source code, documentation, installation binaries


Previous
Previous

OSX/Windows Forensics: Acquisition and Timelining

Next
Next

WebAssembly Security Analysis and Fuzzing