Improving security with Fuzzing and Sanitizers: Free and open source software has far too many security critical bugs.

Presented at Still Hacking Anyway (SHA2017), Aug. 5, 2017, 8:50 p.m. (60 minutes)

A bug in Gstreamer could be used to own a Linux Desktop system. TCPDump released a security update fixing 42 CVEs. We have far too many security critical bugs in the free and open source software stack. But we have powerful tools to find them - we just have to use them. #Software #DeviceSecurity #Sharing In 2014 the speaker started the Fuzzing Project. This was motivated by the fact that for many free and open source software tools it's trivial to find memory corruption bugs with fuzzing tools. Fuzzing is the idea of testing software by feeding it with malformed inputs. Modern coverage-based fuzzing tools like american fuzzy lop and libfuzzer are vastly more powerful than previous approaches. Combined with compiler features like address sanitizer they give us powerful ways to improve the security of our software.

Presenters:

• Hanno
  I'm a freelance journalist and hacker. I regularly write for the German IT news magazine Golem.de and for the monthly Bulletproof TLS Newsletter. I run the Fuzzing Project, which is an effort to use fuzzing to improve the security of free and open source software. This effort is funded by the Linux Foundation's Core Infrastructure Initiative.

Links:

• https://program.sha2017.org/events/148.html

Similar Presentations:

• Diana Initiative 2022 / Fuzzing: A Must Have in Your Bug Hunting Arsenal
• BruCON 0x0A (2018) / Finding security vulnerabilities with modern fuzzing techniques (Short Version) Workshop
• BruCON 0x0A (2018) / Finding security vulnerabilities with modern fuzzing techniques Workshop