What the Fuzz

Fuzzers have become one of the most powerful tools at the disposal of offensive security researchers. Yet, outside of a few big companies, they find little use in defensive scenarios. We believe it is time to change this. If you are not fuzzing your code, someone else will be. Various problems currently prevent the widespread adoption of fuzzers as a standard tool in software development. Fuzzing is still hard to use. It requires a significant amount of expertise to adapt fuzzers to new targets. Debugging the fuzzing process often requires understanding the fuzzer and the target application.On our journey to find 0days in targets ranging from applications, libraries, and programming languages to hypervisors and back, we worked on many of these problems. What kind of bugs can current fuzzers find? What kind of code can they test and, where do they stumble? How can we automatize fuzzing tasks? How can we manually guide the fuzzer, where automatization fails? How can we make fuzzers easier to use even by less experienced users? Come to our talk and find out, what state-of-the-art fuzzing technologies have to offer, and what is yet to come. This talk will feature demos, CVEs, and a release, as well as lots of stuff we learned over the last four years of fuzzing research.