2025-06-28 –, Soprano B
In this 3-hour hands-on workshop, you'll dive deep into a real-world example of how to perform coverage-guided fuzzing of network services extracted directly from ARM,/MIPS/... firmware images. Learn to unleash a range of advanced techniques—fuzzing live over TCP, mocking network interactions, preloading libraries, or applying binary patches. By the end of this session, you'll have mastered effective strategies to uncover hidden vulnerabilities in embedded network services—all directly on your laptop and applicable to any embedded hacking.
In this comprehensive 3-hour workshop, you'll gain practical skills in finding vulnerabilities within embedded network services using coverage-guided fuzzing techniques directly on your laptop. Step-by-step, you'll learn to extract, rehost, and fuzz network services from real-world ARM/MIPS/... firmware images.
Workshop Outline:
- Obtaining and Unpacking Firmware
- Identifying Target Services and Dependencies
- Rehosting Network Services on a Pentest Laptop
- Setting Up AFL++ for Coverage-Guided Fuzzing
- Techniques to Fuzz a Network Service
We learn how to fuzz in fork() and in persistent/in-memory mode, and what the requirements are.
a) Network-based fuzzing: Fuzzing targets directly over TCP/IP connections
b) Network mocking: Using mock services to simulate network interactions
c) Preloading libraries: Intercepting and manipulating function calls at runtime
d) Binary patching: Altering target binaries to bypass checks and improve fuzzing effectiveness - Advanced Binary-Only fuzzing techniques
a) How to fuzz with address sanitizer although the binary was not compiled with one
b) Enabling path constraint solving (CMPLOG, COMPCOV)
c) Creating and using a helpful dictionary
Prerequisites:
- A laptop with Linux and Docker
- Some reversing and fuzzing background
By the conclusion of this workshop, you'll have the practical expertise needed to systematically uncover and exploit vulnerabilities in embedded based network services.
Marc "vanHauser" Heuse is a seasoned security researcher, best known for creating prominent tools such as THC-Hydra, THC-IPv6 and maintainer or AFL++. With over two decades of expertise, he specializes in vulnerability research, code audits and network security assessments. He founded The Hacker's Choice (THC) 30 years ago, the AFLplusplus team 6 years ago, and is currently leading the code assurance team at Security Research Labs (SRLabs). Marc frequently shares his research at global cybersecurity conferences.