Successfully Fuzzing High Value Targets with Low tech Strategies

While AFL, libfuzzer and their derivates are mighty tools to discover bugs, they are still very complex, which requires a certain learning curve prior successful usage. Also memory or other restrictions may prevent usage in all scenarios.

In our talk we present our approach to apply low-tech fuzzing to pursue bug finding in high profile software products. For example well-chosen corpus computed ahead of time can be as powerful as collecting coverage data while fuzzing. Also threshold information such as meta-data tipping points can allow to fine tune bug hunting campaigns. Which means the applied techniques can be supplemental, and by replacing one with the other, bugs would still be found, while aiming for simplicity in the harness setup

To back up this claim we present the workflow steps towards finding several of our findings, most prominently CVEs in OpenSSL and in the cryptography code of nodeJS.

The talk starts from a theoretical background towards a step-by-step guidance building your own low-tech fuzzing tool setup.

From a practical end, the necessary tool usage steps are shown via demos in a (Ubuntu 22) Linux context. The audience may benefit from this to jumpstart their own discoveries.

About the Presenter: Marc Schönefeld

• 22 year record of finding CVE-classified bugs, also wrote a book about "Java Security" 

• Speaker and trainer at numerous conferences since Blackhat 2002

• Wrote undx, one of the first proof-of-concepts for a Dalvik decompilation infrastructure

• In a past life worked on omg.org “CORBA success story” in banking.

• Mentioned in many halls of fame and advisories