Writing a Fuzzer for Any Language with American Fuzzy Lop

Presented at ShmooCon XV (2019), Jan. 19, 2019, 10 a.m. (60 minutes).

American fuzzy lop (afl) is one of the most prominent tools used for fuzz testing nowadays. Many critical security issues found in widespread programs are attributed to afl.

For efficient fuzzing afl requires compiling source code, to which it adds its instrumentation bits. This requires code that gcc or clang can compile, generally C/C++ code. It is possible, however, to hack afl into fuzzing any code or language, even interpreted languages such as Python or Ruby.

In the talk we will dive into the internals of afl and walk through the steps needed to write an afl interface to fuzz any programming language. The Ruby language will be used as an example, based on my work on Kisaten (https://github.com/zelivans/kisaten), a ruby fuzzing tool which is responsible for the findings of various bugs in ruby gems and the ruby standard library.


Presenters:

  • Ariel Zelivansky
    Ariel Zelivansky is a security researcher and the head of Twistlock’s research team (https://www.twistlock.com/labs), dealing with hacking and securing anything related to containers.

Links:

Similar Presentations: