How to FAIL at Fuzzing

Presented at Kiwicon 4: The four e:Sheep-persons of the Cyber Infopocalypse (2010), Nov. 27, 2010, 5:30 p.m. (45 minutes).

How many fuzzing presentations have you seen that more or less go 'omg i am awesome, and so is my awesome framework' ? I've seen a lot - hell I've GIVEN some. So screw all that - this time I want to bring out the dirty laundry. Here, in all their glory, are my most fantastic fuckups, my most epic errors, my most laughable lessons learned - mistakes I have made so that you don't have to. This talk is not about code, or specific fuzzing tools - it's about wrong approaches, misconceptions, oversights and things that 'should work in theory'. Point, laugh, drink beer, maybe learn something - what's not to love?


Presenters:

  • Ben Nagy
    Nagy is a senior security researcher with COSEINC, currently working from Kathmandu, Nepal - braving power cuts, wild dog packs and amusing diseases such as typhoid and cholera. For almost two years, he has been exploring ways to improve fuzzing scalability, especially against complex, closed source targets like Windows and Office, and has been credited (inordinately) with 'pioneering' industrial fuzzing. Ben has spoken at quite a few conferences around the world, mainly for the free beer. Except the one in Pakistan. That one had great kebab, though.

Links:

Similar Presentations: