Catch Me If You Can: Deterministic Discovery of Race Conditions with Fuzzing

Presented at Black Hat USA 2022, Aug. 11, 2022, 1:30 p.m. (40 minutes).

Finding concurrency bugs has presented a challenge for security and development teams. Race condition-based vulnerabilities are a growing category of bugs reported to vendors and have been observed in in-the-wild exploits. Coverage-guided fuzzing has been a boon to the security community both offensive and defensive but on its own is often not sufficient to find deep concurrency issues reliably.

This research discusses a novel approach to fuzzing that enables deterministic discovery of race condition bugs, allowing researchers to unearth and root cause these serious bugs while still having fun.

Presenters:

• Ned Williamson - Information Security Engineer, Google
  Ned Williamson is a security researcher at Google Project Zero. He has experience exploiting Chrome and iOS and focuses on novel and deep fuzzing techniques. Before Google, he participated in CTFs with PPP, a university security team, and worked at ForAllSecure on Mayhem, which won the Cyber Grand Challenge.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#catch-me-if-you-can-deterministic-discovery-of-race-conditions-with-fuzzing-27597

Similar Presentations:

• DEF CON 15 (2007) / How I Learned to Stop Fuzzing and Find More Bugs
• DEF CON 26 (2018) / Fuzzing Malware For Fun & Profit. Applying Coverage-guided Fuzzing to Find and Exploit Bugs in Modern Malware
• BSidesSF 2019 / Fuzzing Malware for Fun & Profit: Applying Coverage-Guided Fuzzing to Find and Exploit Bugs in Modern Malware