What the Fuzz

Presented at Black Hat Europe 2019, Dec. 5, 2019, 10:45 a.m. (50 minutes)

Fuzzers have become one of the most powerful tools at the disposal of offensive security researchers. Yet, outside of a few big companies, they find little use in defensive scenarios. We believe it is time to change this. If you are not fuzzing your code, someone else will be. Various problems currently prevent the widespread adoption of fuzzers as a standard tool in software development. Fuzzing is still hard to use. It requires a significant amount of expertise to adapt fuzzers to new targets. Debugging the fuzzing process often requires understanding the fuzzer and the target application.

On our journey to find 0days in targets ranging from applications, libraries, and programming languages to hypervisors and back, we worked on many of these problems. What kind of bugs can current fuzzers find? What kind of code can they test and, where do they stumble? How can we automatize fuzzing tasks? How can we manually guide the fuzzer, where automatization fails? How can we make fuzzers easier to use even by less experienced users?

Come to our talk and find out, what state-of-the-art fuzzing technologies have to offer, and what is yet to come. This talk will feature demos, CVEs, and a release, as well as lots of stuff we learned over the last four years of fuzzing research.


  • Sergej Schumilo - Security Researcher, Ruhr University Bochum
    Sergej Schumilo is a PhD student at the chair for Systems Security at the Ruhr University Bochum. His research fields are fuzzing, and OS as well as hypervisor security.
  • Cornelius Aschermann - Security Researcher, Ruhr University Bochum
    Cornelius Aschermann works on automatic bug-finding and verification tools for his PhD at Ruhr University Bochum. His fuzzing research has uncovered bugs in targets from ring 3 to ring -1. In his spare time, he has been playing and organizing international security competitions for almost ten years and has been involved in various security audits and pentests for fun and profit.


Similar Presentations: