logo
allArticlesConferencesPresentations

Fuzzing Session: Finding Bugs and Vulnerabilities Automatically

Conference:  KubeCon + CloudNativeCon North America 2022

2022-10-28

Authors:   David Korczynski, Adam Korczynski

Summary

The importance of integrating fuzzing into open source software (OSS) development to identify security vulnerabilities and improve code quality
  • Fuzzing involves generating random inputs to test software for bugs and vulnerabilities
  • Integrating fuzzing into OSS development can save CPU resources and improve code quality
  • Fuzzing can identify security vulnerabilities, such as unauthenticated control plane denial of service attacks
  • Tools like Fast Introspector can help identify complex code and entry points for fuzzing
  • Improving tool support and identifying security issues in memory safe languages are priorities for organizations
  • Collaboration and sponsorship from maintainers, the CNCF, and the Open Source Technology Improvement Fund are important for advancing fuzzing in OSS development
During a case study, almost 300 fossils were run for a total of almost 60,000 hours, resulting in the discovery of around 40 crashes and one high severity vulnerability. The vulnerability was found in an API that took a string and split it into three different strings, but if the payload bytes ended up being a null value, it would create a nil value and result in a null reference. This issue was found by the fuzzer and also identified in other high-profile projects by the Istio maintainers. The fix was to not pass a double pointer, but a single pointer.

Abstract

In this session Adam and David invites attendees to an in-depth look at fuzzing starting with the basics and moving on to advanced topics. The presentation will focus on fuzzing open source software and cover why it is important to fuzz your software by way of brief introductions followed by a series of case studies.Fuzzing is a technique to automate testing software for bugs and vulnerabilities. Fuzzing is performed by writing a test harness that passes seemingly pseudo-random data to a target application with the goal of finding bugs and vulnerabilities. Adam and David have written fuzzers for more than 200 open source projects which have led to finding thousands of bugs of which many were security-critical.The presentation will also cover important open-source projects related to fuzzing such as OSS-Fuzz and Fuzz Introspector.This talk is aimed at a broad audience including those who are new to fuzzing as well as those with some fuzzing experience.
Materials:
Tags:
Fuzzing
Open Source
software
bugs
vulnerabilities

Post a comment

Related work

ClusterFuzz: Fuzzing at Google Scale

Conference:  BlackHat EU 2019
Authors:
2019-12-04

Zero bugs found? Hold my Beer AFL! How To Improve Coverage-Guided Fuzzing and Find New 0days in Tough Targets

Conference:  Defcon 27
Authors:
2019-08-01

Going Beyond Coverage-Guided Fuzzing with Structured Fuzzing

Conference:  BlackHat USA 2019
Authors:
2019-08-07

Synfuzz: Building a Grammar Based Re-targetable Test Generation Framework

Conference:  Defcon 26
Authors:
2018-08-01

Fuzzing the Native NTFS Read-Write Driver (NTFS3) in the Linux Kernel

Conference:  Black Hat Asia 2023
Authors: Chiachih Wu, Yuan-Tsung Lo
2023-05-12

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs?

Conference:  BlackHat USA 2020
Authors:
2020-08-06