Fuzz Smarter, Not Harder - An AFL-Fuzz Primer

Explore the world of fuzz testing with this comprehensive conference talk from BSidesSF 2016. Dive into the powerful American Fuzzy Lop (afl-fuzz) tool, learning how it overcomes traditional fuzzing challenges through code instrumentation and optimized forking processes. Follow a step-by-step guide on using afl-fuzz alongside tools like address sanitizer (ASAN) and !exploitable to identify and classify exploitable software bugs. Gain practical knowledge on building and fuzzing AFL instrumented Ubuntu packages, enabling you to discover potential zero-day vulnerabilities in widely deployed software. Cover topics such as mutation strategies, AFL's key benefits, basic blocks, instrumentation techniques, parallel and distributed fuzzing, LLVM mode, dictionary-based fuzzing, and crash impact assessment. Learn valuable triage methods, explore real-world examples like Heartbleed and browser ASLR bypass, and equip yourself with essential resources to enhance your bug hunting skills.

Intro
Presentation Agenda
Automated Fuzzing Categories
Mutation Strategies
AFL's Key Benefits
Background: What Are Basic Blocks?
AFL Fuzzing Map (gzip)
Build It
Instrument Something
The Status Screen
Important Status Indicators
Output Directories
Basic Blockers And Caveats
Parallel Fuzzing
Distributed Fuzzing
LLVM Mode
all-clang-last Persistent Mode
Benefits of Bonus Modes
Shrinking The Haystack
Selecting The Best Inputs
Dictionary Based Fuzzing
Removing Checksums
Chaining AFL
Assessing Crash Impact
What Triggered The Crash?
The Peruvian Rabbit Thing
Sanitizers
Address Sanitizer Example Output
Using GDB
My Triage Method
BASH Variables
Heartbleed
Browser ASLR Bypass
Resources & Question Time