Catch Me If You Can: Deterministic Discovery of Race Conditions with Fuzzing

Presented at Black Hat USA 2022, Aug. 11, 2022, 1:30 p.m. (40 minutes)

Finding concurrency bugs has presented a challenge for security and development teams. Race condition-based vulnerabilities are a growing category of bugs reported to vendors and have been observed in in-the-wild exploits. Coverage-guided fuzzing has been a boon to the security community both offensive and defensive but on its own is often not sufficient to find deep concurrency issues reliably.

This research discusses a novel approach to fuzzing that enables deterministic discovery of race condition bugs, allowing researchers to unearth and root cause these serious bugs while still having fun.


Presenters:

  • Ned Williamson - Information Security Engineer, Google
    Ned Williamson is a security researcher at Google Project Zero. He has experience exploiting Chrome and iOS and focuses on novel and deep fuzzing techniques. Before Google, he participated in CTFs with PPP, a university security team, and worked at ForAllSecure on Mayhem, which won the Cyber Grand Challenge.

Links:

Similar Presentations: