Rust Security Audit and Fuzzing

Rust (rustlang) is a strongly typed and safe systems programming language developed by Mozilla. Over the years, it has become the language of choice to build memory-safe programs while maintaining high performance at scale. Rust is usually used for file format and protocol parsers but also on critical projects like in the new high-performance browser engine, Servo.

However, coding using memory-safe language doesn’t mean the code will be bugs-free. Different kinds of rust security vulnerability like overflows, DoS, UaF, OOB, etc. can still be found and sometimes exploited to achieve remote code execution (RCE).

Goal of this course is to give you all the prerequisites to understand which kind of vulnerability can be found inside Rust code. You will learn how to find low hanging fruits bugs manually and automatically using Rust security auditing tools. Finally, you will discover how to build custom Rust fuzzers, triage/debug crashes and improve your code coverage using different techniques.

Along this training, students will deal with a lot of hands-on exercises allowing them to internalize concepts and techniques taught in class.

Day 1 - Rust Security Audit and Code Review

The first day focuses on code audit and Rust security vulnerability research. Students will first learn which security mechanisms are enforced by default in Rust, which vulnerabilities are the most common and how to detect them. Students will have the opportunity to analyze unsafe code and apply much of the theory in practice over small real-life hands-on assignments to highlight aspects of auditing Rust code.

- Introduction to Rust and its Ecosystem
- Security concepts
  - Ownership, Borrowing and Lifetime
- Rust most common vulnerabilities
  - Error handling & Unwrapping, Panicking macros, Arithmetic errors
  - Index out of bound, Stack overflow, resource exhaustion (OOM)
- Unsafe codes
  - Tooling and Sanitizers (ASAN, MSAN, etc.)
  - Out of bound access (OOB), Use-after-free (UAF), Double free, Memory leak, Data Races and Race Conditions
- Rust advanced vulnerabilities
  - Logic bugs, FFI, Cryptographic issues, Uninitialized & Zeroing memory
- Attack surface discovery & Auditing tools

Assignment 1: Rust introduction and security concepts

Students will get a short introduction to Rust language and its ecosystem.
Students will compile and execute Rust code examples.
Students will discover how Rust security mechanism works.

Assignment 2: Detect most common Rust vulnerabilities

Students will identify multiple vulnerabilities and their impacts.
Students will reproduce bugs and learn how to detect them in the future.
Students will evaluate security of real-life crate packages using code review.

Assignment 3: Auditing unsafe code

Students will understand why unsafe code exist and when it can be dangerous.
Students will detect unsafe memory issues using sanitizing tools.
Students will analyze real-world usage of unsafe code.

Assignment 4: Real-World: Audit popular Rust packages

Students will choose targets to audit from popular libraries.
Students will identify interesting code patterns.
Students will share hypothesis and findings.

Day 2 - Rust Fuzzing and Crash Analysis

This second day is more focused on automated Rust vulnerability detection using different fuzzing techniques. Students will first learn how to create Rust fuzz testing harnesses for a given target quickly using coverage-guided fuzzing. They will evaluate the Rust fuzz testing results and analyze crashes using debugging. Students will finally discover other advanced techniques to find in-depth bugs on popular Rust libraries.

- Fuzzing Introduction and Workflow
- Coverage-guided Fuzzing in Rust
  - cargo-fuzz, afl-rs, honggfuzz-rs
- Improve your Fuzzing Process
  - Code coverage, Corpus selection, Corpus minimization
  - Crashes Triaging and Debugging
- Structure-aware & Grammar-based Fuzzing
- Other Advanced Testing techniques
  - Symbolic Execution, Formal verification
  - Differential Fuzzing
  - Writing Custom Rust Fuzzers

Assignment 5: Fuzzing Rust library in less than 5 minutes

Students will learn the different steps in the fuzzing workflow.
Students will discover which Rust coverage-guided fuzzers are the best.
Students will write Rust fuzz testing harnesses for real-world public libraries.

Assignment 6: Improve and analyze your fuzzing session

Students will generate code coverage to evaluate fuzzing results.
Students will minimize both corpora and crashes to optimized Rust fuzzing speed.
Students will triage and analyze bugs found during fuzzing.

Assignment 7: Applied advanced Rust fuzzing techniques

Students will learn how to fuzz Rust structure using structure-aware based fuzzing.
Students will improve fuzzers input generation using grammar-based fuzzing.
Students will implement differential fuzzing to find logic bugs.

Assignment 8: Real-World: Fuzzing popular Rust packages

Students will choose targets to fuzz from previously audited libraries on day 1.
Students will create different Rust fuzzing harnesses for popular file and text format parser.
Students will analyze and triage their crashes to find 0-days.

CLASS REQUIREMENTS

Participants should have some basis with the Rust language and Linux. This course is suitable for people that are new to Rust. All the theory and concepts about Rust security vulnerability research and Rust fuzz testing will be explained during the course.

Hardware Requirements

A working laptop capable of running virtual machines. 4GB RAM required, at a minimum. 40 GB free Hard disk space. Minimum software to install Virtualbox or VMware Player, VMware Workstation, VMware Fusion.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Rust Security Audit and Fuzzing

Day 1 - Rust Security Audit and Code Review

Day 2 - Rust Fuzzing and Crash Analysis

CLASS REQUIREMENTS

FREE Courses & Training

Enter your email and we'll send you a bundle of awesome resources. 100% free - 100% awesome.

Any questions about our services and trainings ?

Get in touch today with any questions that you might have.