Home

Awesome

Fuzzing with AFL workshop

Materials of the "Fuzzing with AFL" workshop by Michael Macnair (@michael_macnair).

This workshop introduces fuzzing and how to make the most of using American Fuzzy Lop, a popular and powerful fuzzer, through a series of challenges where you rediscover real vulnerabilities in popular open source projects.

The first public version of this workshop was presented at SteelCon 2017 and it was revised for each of BSides London 2019, BSides Bristol 2019, and GrayHat 2020 (most notable change in this revision was a switch to afl++).

Presentation

Via Google slides and as a PDF. There is extra information in the speaker notes.

GrayHat published a recording of a remote version of the workshop on YouTube - this was created for a real-time workshop audience, but you can follow along at your own pace as long as you don't mind skipping a few pauses and ignoring references to Discord.

The presentation suggests when to attempt the different challenges in this repository, and the video provides a walk-through of quickstart and harness.

Pre-requisites

Contents

See the other READMEs for more information.

Challenges

Challenges, roughly in recommended order, with any specific aspects they cover:

The challenges have HINTS.md and ANSWERS.md files - these contain useful information about fuzzing different targets even if you're not going to attempt the challenge.

Most of the challenges also have an ANSWERS-libFuzzer.md file, for if you want to try out using LLVM's libFuzzer. These are brief descriptions of the differences for libFuzzer, and should be read alongside the afl docs (.md files).

All of the challenges use real vulnerabilities from open source projects (the CVEs are identified in the descriptions), with the exception of the Cyber Grand Challenge extract, which is a synthetic vulnerability.

The chosen bugs are all fairly well isolated, and (except where noted) are very amenable to fuzzing. This means that you should be able to discover the bugs with a relatively small amount of compute time - these won't take core-days, most of them will take core-minutes. That said, fuzz testing is by definition a random process, so there's no guarantee how long it will take to find a particular bug, just a probability distribution.

Links