Go Security Audit and Fuzzing

Go (golang) is a statically typed and compiled programming language designed by Google. Over the years, it has become a language of choice for developers to build concurrency backend applications while maintaining high performance at scale.

This course teaches you all the prerequisites to understand which kind of vulnerability can be found inside Go code. You will learn how to find low-hanging fruit bugs manually and automatically using different Go auditing tools. You will discover how to use existing Go fuzzing coverage-guided frameworks, triage/debug crashes, and improve your code coverage. Finally, you will discover how to build custom Go fuzzers and implement advanced fuzzing techniques to find in-depth bugs on popular Go packages.

Along this training, students will deal with a lot of hands-on exercises allowing them to internalize concepts and techniques taught in class.

COURSE SYLLABUS

Module 1 - Go Security Audit and Code Review

  • Introduction to Go and its Ecosystem
  • Security concepts
    • Memory safety,  Garbage collector
    • Error handling, Concurrency
  • Golang common vulnerabilities
    • Panicking function
    • Arithmetic errors
    • Out-of-bounds panics
    • SIGSEGV / Nil pointer dereference
    • Resource exhaustion / OOM, Stack overflow
  • Advanced vulnerabilities
    • Unsafe code
    • Data races, Race conditions, 
    • Memory Leak, Logic errors, Concurrency issues
    • Web App Vulnerabilities (SQLI, XSS, etc.)
  • Attack surface discovery & Auditing tools

Module 2 - Go Fuzzing & Crash Analysis

  • Introduction to Fuzzing
  • Coverage-guided Fuzzing
    • go-fuzz, libfuzzer,  testing/fuzz
  • Fuzz testing workflow
    • Corpus/inputs collection, Code coverage
    • Corpus minimization
  • Crashes Analysis
    • Bucketing, Crashes minimization, Debugging, Root cause analysis
  • Generation-based fuzzing
    • Grammar-based & Structure-aware Fuzzing
  • Advanced testing techniques
    • Property-based testing, Concolic Testing
    • Differential fuzzing / Writing custom fuzzers
  • Familiarity with Linux and Go.
  • A working laptop capable of running virtual machines
  • 4GB RAM required, at a minimum
  • 40 GB free Hard disk space
  • VirtualBox
  • Administrator/root access MANDATORY

This course is suitable for people that are new to Go. All the theory and concepts about Go security and Go fuzz testing will be explained during the course.

  • Software developers
  • Security engineers
  • Vulnerability researchers
  • Bug bounty hunters
  • Pentesters & Red team professionals
  • Anyone who want to learn more about Go security & fuzzing

Why Choose Us

"Really complete training if you're starting to write and audit Go code. I've already applied and used the fuzzing tools and techniques against Blockchain code and I directly found multiple bugs! Thanks Patrick!"
Anonymous
Blockchain engineer
"The course contains a lot of information to be completely processed but it's well built and very practical! My favorite part was about fuzzing!"
Thomas.H
Software engineer
"Great course, not just showing how to use some fuzzing tools... it goes into detail showing the process and workflow required to fuzz a target."
Anonymous
Vulnerability researcher
"I was impressed with the quality of Go training on many levels. The slides exceeded my expectations and the videos really motivated me to finish the course entirely! Of course, It costs a certain budget but it's definitely worth the investment."
Anonymous
Security engineer

Any questions about our services and trainings ?

Get in touch today with any questions that you might have.