Advanced Fuzzing Security Trainings

We offers a wide-range of advanced fuzzing security trainings and consulting services around Rust, WebAssembly, Golang and blockchain security. We also provide private online courses and public trainings at multiple IT security conference.

Online Courses

After a lot of requests from our clients, we have decided to provide actual and under development trainings available fully online. If you are interested and want an early access to the courses once published, don’t forget to provide your mail in the newsletter form below.  

Trainings

We offer the world’s first training about WebAssembly security in 4 to 5 days format. We have also developed an exclusive training about Rust security that required only 2 days. Customization is possible for online and on-site trainings, but need to be requested as soon as possible.

Services

We offers a wide-range of Fuzzing, WebAssembly and Rust consulting services to our clients. We help them to develop and secure their own software, including trainings to boost employee qualification, code audits, as well as vulnerability assessments and custom fuzzing development.

FREE Courses & Trainings

Enter your email and we'll send you a bundle of awesome resources. 100% free - 100% awesome.

Exclusive online and private

WebAssembly & Rust Security Trainings

  • WebAssembly Security training wasm patrick ventuzelo WebAssembly Security
  • rust security patrick ventuzelo training webassembly Rust Security

This courses will give you all the prerequisites to understand what’s a WebAssembly module and its associated virtual machine. At the end of this intensive 4 days, you will be able to reverse statically and dynamically a WebAssembly module, analyze its behavior, create detection rule and search for vulnerabilities and security issues. You will learn which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will discover how to find vulnerabilities inside WebAssembly VMs (Web-browsers, Standalone VM) using differents fuzzing techniques.

Along this training, students will deal with a lots of hands-on exercises allowing them to internalize concepts and techniques taught in class.

COURSE OUTLINE

Day 1 - WebAssembly Reversing

  • Introduction to WebAssembly
  • WebAssembly VM architecture
  • WebAssembly toolchain
  • Writing examples in C/C++/Rust/C#
  • Debugging WebAssembly module
  • WASM binary format (header, sections)
  • WebAssembly Text Format (wat/wast)
  • WebAssembly Instructions set
  • Coding with WASM Text format
  • Reversing WebAssembly module
  • CFG & CallGraph reconstruction
  • DataFlowGraph analysis
  • Browser Addons reversing

Day 2 - Real-life Modules Analysis

  • Modules Instructions analytics/metrics
  • WASM cryptominers analysis
  • Pattern detection signatures (YARA)
  • Taint Tracking
  • Dynamic Binary Instrumentation
  • Bytecode (De)-Obfuscation techniques
  • Static Single Assignment & Decompilation
  • Real-life WASM module analysis
  • Hacking WebAssembly video game

Day 3 - Wasm Modules Vulnerabilities

  • Traps & Exception handling
  • WebAssembly module vulnerabilities
  • Integer/Buffer/Heap Overflows
  • Advanced vulnerabilities (UaF, TOCTOU…)
  • CFI Hijacking
  • Emscripten vulnerabilities
  • Exploitation NodeJS server running wasm module
  • Vulnerability detection (Static & Dynamic)
  • Lifting WASM bytecode
  • Fuzzing WebAssembly modules

Day 4 - Vulnerability Research inside Wasm VM

  • Web-Browsers vulnerabilities analysis (CVEs PoC)
  • WebAssembly VM & Interpreter vulnerabilities
  • WebAssembly JS APIs generation
  • Fuzzing Web-Browsers (Chrome, Firefox, WebKit)
  • WASM module validation mechanism
  • Writing edge case module
    WAT, WAST & WASM
  • grammar generation
  • Blockchain VM targets
  • Fuzzing C/C++/Rust/Go WASM project
  • WebAssembly for Security Researcher
  • In-memory fuzzing everything using WebAssembly & Frida

This goal of this course is to give you all the prerequisites to understand which kind of vulnerability can be found inside Rust code. You will learn how to find low hanging fruits bugs manually and automatically using Rust auditing tools. Finally, you will discover how to build custom Rust fuzzerstriage/debug crashes and improve your code coverage using differents techniques.

Along this training, students will deal with a lots of hands-on exercises allowing them to internalize concepts and techniques taught in class.

COURSE OUTLINE

Day 1 - Rust Security Audit and Code Review

  • Introduction to Rust
  • Security concepts & Ownership
  • Panicking macros
  • Error handling & Unwrapping
  • Unsafe codes
  • Attack surface discovery
  • Rust vulnerabilities & impacts
  • Uninitialized & Zeroing memory
  • Rust Security Auditing tools

Day 2 - Finding Bugs automatically using Fuzzing

  • Setup fuzzers easily (cargo-fuzz, afl-rs, honggfuzz-rs)
  • Crashes Triaging
  • Structure-aware Fuzzing
  • Debugging / Bugs analysis
  • Code coverage
  • Grammar-based Fuzzing
  • Corpus minimization
  • Sanitizers (ASAN, MSAN, …)
  • Symbolic execution

Any questions about our services and trainings ?

Get in touch today with any questions that you might have.