Rust Security Audit and Fuzzing
3-Day Training | In-person
| 21-23 November 2021

Rust Security Audit and Fuzzing

This course will give you all the prerequisites to understand which kind of vulnerability can be found inside Rust code. You will learn how to find low hanging fruits bugs manually and automatically using Rust auditing tools. Finally, you will discover how to build custom Rust fuzzers, triage/debug crashes and improve your code coverage using different techniques. This training offers participants multiple hands-on exercises allowing them to internalize concepts and techniques taught in class.
Founder & Senior Security Researcher, FuzzingLabs

Available seats

TBA

Difficulty

Intermediate
US$ 3,299

Attend in-person

at ADNEC Abu Dhabi

Attend online

TBA

Date

21-23 November 2021

Time

09:00 to 17:00 GST/GMT+4

Rust is a strongly typed and safe systems programming language developed by Mozilla. Recently, it has become the language of choice to build memory-safe programs while maintaining high performance at scale. Rust is usually used for file format and protocol parsers but also on critical projects like in the new high-performance browser engine, Servo.

However, coding using memory-safe language doesn’t mean the code will be free of bugs. Different kinds of vulnerabilities like integer overflows, OOM, DoS, UaF, OOB, etc. can still be found and sometimes exploited to achieve remote code execution (RCE).

This course will give you all the prerequisites to understand which kind of vulnerability can be found inside Rust code. You will learn how to find low hanging fruits bugs manually and automatically using Rust auditing tools. Finally, you will discover how to build custom Rust fuzzers, triage/debug crashes and improve your code coverage using different techniques. This training offers participants multiple hands-on exercises allowing them to internalize concepts and techniques taught in class.

This course is for anyone who's looking for a hands-on and pragmatic approach to audit and secure Rust code such as:

  • Security engineers
  • Vulnerability researchers
  • Pentesters & Red team professionals
  • Software developers.

Participants should have some basis with the Rust language and Linux. All the theory and concepts about Rust security vulnerability research and Rust fuzz testing will be explained during the course.

  • Introduction to Rust and its Ecosystem
  • Security concepts, Ownership, Borrowing and Lifetime
  • Rust most common vulnerabilities - Error handling & Unwrapping, Panicking macros, Arithmetic errors, Index out of bound, Stack overflow, resource exhaustion (OOM)
  • Unsafe codes - Tooling and Sanitizers (ASAN, MSAN, etc.), Out of bound access (OOB), Use-after-free (UAF), Double free, Memory leak, Data Races and Race Conditions
  • Advanced Rust security vulnerability - Logic bugs, FFI, Cryptographic issues, Uninitialized & Zeroing memory
  • Attack surface discovery & Rust security Auditing tools
  • Rust Fuzz testing workflow and Corpus selection
  • Coverage-guided Rust Fuzzing - cargo-fuzz, afl-rs, honggfuzz-rs
  • Code coverage, Corpus minimization
  • Crashes Triaging and Debugging
  • Structure-aware & Grammar-based Fuzzing
  • Other Advanced Fuzz Testing techniques - Differential Rust Fuzzing, Writing Custom Rust Fuzzers
  • A working laptop capable of running virtual machines
  • 8GB RAM required, at a minimum
  • 40 GB free Hard disk space
  • VirtualBox / VMware

+Testimonials

I personally have learned a lot. I have to admit that this training is more for advanced Fuzzing and Rust experts or those who want to become one. I don't have as much experience in these two topics, since I'm not a developer but a security manager. Nevertheless, I was very interested in these topics and I found the training very good!  Thank you Patrick!

Very good practical training with focus on developing secure apps with Rust and fuzzing techniques, but also covers other testing methodologies. As a developer relatively new in Rust, I've learned a lot about general principles that should be used to develop safe applications, and various tooling built around Rust infrastructure that makes development much easier.

Essential training covering all shorts of issues and scenarios. A well rounded training that does not leave anything uncovered. A great place to start when entering Rust space.

This course is pure gold. I wasted weeks looking for an alternative instead of taking this course directly. Huge mistake on my end because Patrick's slides are awesome and teach everything you need to know about Rust security.

+agenda

Title

Details

Date

No data was found

Book your spot for this training

+TRAINERS

Patrick Ventuzelo
Founder & Senior Security Researcher, FuzzingLabs

Patrick Ventuzelo is a French Independent Security Researcher specialising in vulnerability research, fuzzing, reverse engineering and program analysis. He is the trainer of two training respectively about WebAssembly Security and Rust Security.

Patrick is the author of Octopus, an open-source security analysis tool supporting WebAssembly and multiple Blockchain smart contracts bytecode to help researchers perform closed-source analysis. He also has recently developed WARF, another open-source fuzzing project to find bugs inside WebAssembly VMs/runtimes/parsers using different fuzzing techniques.

+OTHER COURSES YOU MIGHT BE INTERESTED IN

x86-64 All You Can Learn Buffet!
US$ 4,299
x86-64 All You Can Learn Buffet!

This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.


Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 Reset Vector Firmware class.
4-Day Training Hybrid
x86-64 Reset Vector Firmware
US$ 2,299
x86-64 Reset Vector Firmware

This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 OS Internals
US$ 2,299
x86-64 OS Internals

This class teaches you about the fundamental hardware mechanisms which all operating systems, virtualization systems, and firmware *must* interact with in order to run successfully on x86 hardware. This is taught in a *mostly* OS-agnostic way focusing on Intel-isms rather than OS-isms (albeit with using Windows as reinforcement, thanks to its excellent kernel-level debugging support.) This class also teaches you to be comfortable with Reading The Fun Manual (RTFM!) to give you self-sufficiency when seeking out the most accurate details of how things work.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 Assembly
US$ 2,299
x86-64 Assembly

This class teaches you how to disassemble binaries, read x86-64 assembly language, and debug black-box binaries in WinDbg and GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.

 

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

 
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.  
2-Day Training Hybrid