The browser, as no one needs to explain, plays a very important role in security. There are many browser fuzzing tools, like cross_fuzz and grinder, which help people to build their own browser fuzzing system.
However, the most important thing of fuzzing is the fuzzing strategy. With a good strategy, we can find more vulnerabilities instead of useless crashes. With a unique strategy, we can find bugs that others couldn't find.
From September 2013 to April 2014, we discovered more than 100 IE use-after-free vulnerabilities. We got 19 CVEs that affect all versions of Microsoft IEs. We also have more than 50 pending IE vulnerabilities at MSRC.
In this talk, we are going to introduce the vulnerability hunting system we built from scratch and the fuzzing strategy we used.