A Retrospective on Our First Fuzzing Workshop

A retrospective on our first fuzzing conference workshop and how we'll improve next time.

Ryan and I in front one of our AFL fuzzing runs.

My buddy and former coworker Ryan O’Neal and I gave our first conference workshop, an Introduction to Fuzzing, at BSides Charm 2023 last weekend. It was a great experience. We had about twenty students in total. We covered both the theory and practical, real-world fuzzing exercises. It was great to connect with other industry professionals and attend a conference in person again. We got great feedback from the students who attended our workshop and wanted to document that feedback here to both keep us accountable and to help others in their course development.

Poor Communication on Our Part

The biggest feedback that we got was to inform students what materials they needed before the course. We did put out information on how to install AFL++, Docker, and which operating systems were supported. However, we didn’t offer a point of contact if students got stuck during installation or if they had a question. We also had students who had never used Docker before. It was pretty unreasonable for us to assume that would have been set up before the course. Additionally, we had four or five students that joined the course on standby after others were no-shows. These students obviously didn’t have any of the items setup and is not something we adequately prepared for.

At the start of class, we had students frantically downloading Docker and trying to pull images from Docker Hub. The seemingly 256kB/s download speeds made this infeasible. Thankfully, Ryan had a USB drive and loaded his pre-built Docker containers onto it. Many of the students were able to use these images for the course. Though, for some reason, a few of the students were reluctant to use an unknown USB device.

For next time, I think we’ll run our own Intranet to host the materials, so we’re not relying on the conference’s infrastructure. That or we’ll get many more USB drives. I guess they’re pretty cheap these days. Additionally, we need to trim down our 1GB+ containers. 🐳 Additionally, I’d like to put a link to a Discord channel in the installation setup instructions. That’ll facilitate communication before the course begins.

Too Much Content

We had way more content than I thought. By the time we were done, Ryan and I had made seven hands-on exercises and over one-hundred slides for a four-hour course. After we completed the development of the first four or five exercises, I felt we still needed more exercises to have a class worthy of the students’ time. We stayed up late the night before the workshop prepping the slides and exercises six and seven. We didn’t really need that much.

We started the workshop off with an introduction to a simulated C bug (a process getting killed with a signal via abort) just to re-familiarize students with classes of C errors. Exercise two was fuzzing that same program. Between those two exercises and the theory of fuzzing, we probably spent around 75 minutes. Exercise three focused on fuzzing a real-world open-source target and creating a dictionary. That, with the additional slides, probably took another 75 minutes. After the third exercise, we had just about an hour of time before the closing remarks of the conference.

So we decided to cut exercise four, which talked about sanitizers and skipped to harnessing openssl/. I felt like we rushed through that exercise to quickly touch on AFL’s fork server with exercises six and seven, though we didn’t actually have students do those. Though most of the students were about to trigger the bug responsible for CVE-2022-3786, we didn’t do harnessing proper justice.

All in all, we started the workshop back in January, about four months before the conference. We probably put in a combined forty or fifty hours into the material.d

We Didn’t Attend the First Day

This is related to having too much content but still not feeling it was enough. Because we were worried we had too little, we spent the first day of the conference solely working on our material. We didn’t go around and connect with attendees or sit in on any talks. Given how cool the people we met on Sunday were, I really regret not walking around. That’s an easy fix for next year. There was also a Friday night dinner for speakers and workshop leaders, which I did not attend. I get stressed pretty easily when I don’t get any downtime after work, and I felt this might cut into it. However, it would have been great to network and talk with other presenters about their materials and their backgrounds.

After Thoughts

With the conference behind us and some great feedback, we can’t wait to put some weekend hours in to improve and bring an even better workshop to the next conference. We definitely want to thank the BSides Charm speaker committee for allowing us to come out, and we hope we get the opportunity in the future! All of our work, including slides and exercises, is open source on GitHub.

Subscribe to Sean Deaton

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.