Master Praktikum - Hacking Greybox Fuzzers to Spot Software Vulnerabilities (IN2106, IN4232)
Course 0000004553 in SS 2018
General Data
Course Type | practical training |
---|---|
Semester Weekly Hours | 6 SWS |
Organisational Unit | Informatics 4 - Chair of Software & Systems Engineering (Prof. Pretschner) |
Lecturers |
Responsible/Coordination: Alexander Pretschner |
Dates |
Wed, 14:00–15:30, MI 01.11.018 and 2 singular or moved dates |
Assignment to Modules
-
IN2106: Master-Praktikum / Advanced Practical Course
This module is included in the following catalogs:- Further Modules from Other Disciplines
Further Information
Courses are together with exams the building blocks for modules. Please keep in mind that information on the contents, learning outcomes and, especially examination conditions are given on the module level only – see section "Assignment to Modules" above.
additional remarks | As today’s software grow rapidly in size, so does the possibility of vulnerabilities in them, security or otherwise. Fortunately for security professionals, the automated vulnerability management tools at our disposal have also seen significant progress in the past few decades. However, there is still a long way to go for these tools to catch-up with the growing complexity of multi-component software and the tactful crackers in the wild. As of now, we mainly consider two vulnerability discovery techniques – whitebox fuzzing [1] and blackbox fuzzing [2]. Whitebox fuzzing (or symbolic execution) is a powerful way to analyze programs by executing using “symbolic” values instead of concrete values, and exploring as many paths as possible. It is also useful in generating inputs (exploits) that lead to potential vulnerabilities in a program [3]. Blackbox fuzzing is a smart variation of random testing that uses a few manually provided inputs and mutates them to trigger previously unseen behaviour in the program. However, whitebox fuzzing suffers from path-explosion and constraint solving issues while fuzzing is infamous for low coverage because it cannot pass “hard” conditional statements in programs. In this practical course, we will aim to hack popular whitebox and blackbox fuzzers [4, 5, 6], such that we may overcome their individual flaws and spot more vulnerabilities than before. Using our open-source tools (some of them, in-house) and systematic instructions, our participant teams will compete to find as many vulnerabilities as possible in as many vulnerable open-source programs as possible. |
---|---|
Links |
E-Learning course (e. g. Moodle) TUMonline entry |