This website is no longer updated.

As of 1.10.2022, the Faculty of Physics has been merged into the TUM School of Natural Sciences with the website https://www.nat.tum.de/. For more information read Conversion of Websites.

de | en
Login

Master Praktikum - Hacking Greybox Fuzzers to Spot Software Vulnerabilities (IN2106, IN4232)

Course 0000004553 in SS 2018

General Data

Course Type practical training
Semester Weekly Hours 6 SWS
Organisational Unit Informatics 4 - Chair of Software & Systems Engineering (Prof. Pretschner)
Lecturers Responsible/Coordination: Alexander Pretschner
Dates Wed, 14:00–15:30, MI 01.11.018
and 2 singular or moved dates

Assignment to Modules

Further Information

Courses are together with exams the building blocks for modules. Please keep in mind that information on the contents, learning outcomes and, especially examination conditions are given on the module level only – see section "Assignment to Modules" above.

additional remarks As today’s software grow rapidly in size, so does the possibility of vulnerabilities in them, security or otherwise. Fortunately for security professionals, the automated vulnerability management tools at our disposal have also seen significant progress in the past few decades. However, there is still a long way to go for these tools to catch-up with the growing complexity of multi-component software and the tactful crackers in the wild. As of now, we mainly consider two vulnerability discovery techniques – whitebox fuzzing [1] and blackbox fuzzing [2]. Whitebox fuzzing (or symbolic execution) is a powerful way to analyze programs by executing using “symbolic” values instead of concrete values, and exploring as many paths as possible. It is also useful in generating inputs (exploits) that lead to potential vulnerabilities in a program [3]. Blackbox fuzzing is a smart variation of random testing that uses a few manually provided inputs and mutates them to trigger previously unseen behaviour in the program. However, whitebox fuzzing suffers from path-explosion and constraint solving issues while fuzzing is infamous for low coverage because it cannot pass “hard” conditional statements in programs. In this practical course, we will aim to hack popular whitebox and blackbox fuzzers [4, 5, 6], such that we may overcome their individual flaws and spot more vulnerabilities than before. Using our open-source tools (some of them, in-house) and systematic instructions, our participant teams will compete to find as many vulnerabilities as possible in as many vulnerable open-source programs as possible.
Links E-Learning course (e. g. Moodle)
TUMonline entry
Top of page