FULL TRAINING: Rust Security Audit and Fuzzing (bundle) by Patrick Ventuzelo

FULL TRAINING: Rust Security Audit and Fuzzing (bundle)

Discover which kind of security vulnerabilities/bugs can be found inside Rust code, how to detect them statically and automatically using fuzzing techniques.

Course outline

Rust is a strongly typed and safe systems programming language developed by Mozilla. Recently, it has become the language of choice to build memory-safe programs while maintaining high performance at scale. Mostly, Rust is used for files format and protocols parsers but also on critical projects like in the new high-performance browser engine, Servo.

However, coding using memory-safe language doesn’t mean the code will be free of bugs. Different kinds of vulnerabilities like integer overflows, OOM, DoS, UaF, OOB, etc. can still be found and sometime exploited to achieve remote code execution (RCE).

This course will give you all the prerequisites to understand which kind of vulnerability can be found inside Rust code. You will learn how to find low hanging fruits bugs manually and automatically using Rust auditing tools. Finally, you will discover how to build custom Rust fuzzers, triage/debug crashes and improve your code coverage using different techniques.

This training offers participants multiple hands-on exercises allowing them to internalize concepts and techniques taught in class.

Day 1: Rust Security Audit and Code Review

In this course, you will focus on Rust code audit and vulnerability research. First, You will discover which security mechanism are enforced by default in Rust, which vulnerabilities are the most common and how to detect them. Then, you will have the opportunity to analyze unsafe code and apply much of the theory in practice over small real-life hands-on assignments to highlight aspects of auditing Rust code.

Topics Covered during this Day
  • Introduction to Rust and its Ecosystem
  • Security concepts, Ownership, Borrowing and Lifetime
  • Rust most common vulnerabilities
  • Error handling & Unwrapping, Panicking macros, Arithmetic errors
  • Index out of bound, Stack overflow, resource exhaustion (OOM)
  • Unsafe codes
  • Tooling and Sanitizers (ASAN, MSAN, etc.)
  • Out of bound access (OOB), Use-after-free (UAF), Double free, Memory leak, Data Races and Race Conditions
  • Rust advanced vulnerabilities
  • Logic bugs, FFI, Cryptographic issues, Uninitialized & Zeroing memory
  • Attack surface discovery & Auditing tools
Assignment 1: Rust introduction and security concepts
  • Get a quick introduction to Rust language and its ecosystem.
  • Compile and execute Rust code examples.
  • Discover how Rust security mechanism works.
Assignment 2: Detect most common Rust vulnerabilities
  • Identify multiple vulnerabilities and their impacts.
  • Reproduce bugs and learn how to detect them in the future.
  • Evaluate security of real-life crate packages using code review.
Assignment 3: Auditing unsafe code
  • Understand why unsafe code exists and when it can be dangerous.
  • Detect unsafe memory issues using sanitizing tools.
  • Analyze real-world usage of unsafe code.
Assignment 4: Real-World: Audit popular Rust packages
  • Choose targets to audit from popular libraries.
  • Identify interesting code patterns.
  • Share hypothesis and findings.

Day 2: Finding Bugs using Fuzzing

In this course, you will focus on automated Rust vulnerability detection using different fuzzing techniques. You will first learn how to create fuzzing harnesses for a given target quickly using coverage-guided fuzzing. Then, you will evaluate the fuzzing results and analyze crashes using debugging. Finally, you will discover other advanced techniques to find in-depth bugs on popular Rust libraries.

Topics Covered during this Day
  • Fuzzing workflow and Corpus selection
  • Coverage-guided Fuzzing in Rust
  • cargo-fuzz, afl-rs, honggfuzz-rs
  • Code coverage, Corpus minimization
  • Crashes Triaging and Debugging
  • Structure-aware & Grammar-based Fuzzing
  • Other Advanced Testing techniques
  • Differential Fuzzing
  • Writing Custom Rust Fuzzers.
Assignment 5: Fuzzing Rust library in less than 5 minutes
  • Learn the different steps in the fuzzing workflow.
  • Discover which Rust coverage-guided fuzzers are the best.
  • Write fuzzing harnesses for real-world public libraries.
Assignment 6: Improve and analyze your fuzzing session
  • Generate code coverage to evaluate fuzzing results.
  • Minimize both corpora and crashes to optimized fuzzing speed.
  • Triage and analyze bugs found during fuzzing.
Assignment 7: Applied advanced fuzzing techniques
  • Learn how to fuzz Rust structure using structure-aware based fuzzing.
  • Improve fuzzers input generation using grammar-based fuzzing.
  • Implement differential fuzzing to find logic bugs.
Assignment 8: Real-World: Fuzzing popular Rust packages
  • Choose targets to fuzz from previously audited libraries on day 1.
  • Create different fuzzing hardnesses for popular file and text format parsers.
  • Analyze and triage their crashes to find 0-days.

I hope you will enjoy and learn a lot !!!

Patrick Ventuzelo

Patrick Ventuzelo is a French Independent Security Researcher specialized in vulnerability research, fuzzing, reverse engineering and program analysis. 

Patrick found hundreds of bugs using fuzzing and developed both open-source security tools Octopus and WARF.

Patrick is a regular speaker and trainer at various security conferences around the globe, including RingZer0, REcon Montreal, ToorCon, hack.lu, NorthSec, REcon Brussels, SSTIC, FIRST, Microsoft DCC, BlackAlps, etc.