Fuzzing for Security and Stability
Strap on your boots, because on March 21st, 2017 1:00 PM ET, eLearnSecurity is taking you hunting in our latest webinar. This time, we’re bringing you a live demonstration of real-world vulnerability hunt, where we’ll see how a fuzzing test could’ve identified and prevented the havoc caused by the infamous Heartbleed bug.
To make the hunt more thrilling, we got Konstantin Serebryany, a software engineer from this company called Google(!!!), to join us and reveal how they do things over at the Googleplex.
What’s the fuss over Fuzzing?
Fuzz testing – or fuzzing – is a commonly-used black-box testing technique in which a tester inputs invalid, randomized data in order to uncover various programming defects in software, some of which have grave security implications.
While the idea of performing a fuzzing test may seem relatively easy, programs with complex inputs usually require much more work in order to test a substantial amount of code.
On December 2016, Google launched the beta its open-source fuzzing service, OSS-Fuzz. Their goal: “to make common software infrastructure more secure and stable by combining modern fuzzing techniques with scalable distributed execution.”
Currently being used by Google to keep their Chrome browser secure, OSS-Fuzz now also allows open-source developers, with no access to their own thousand-core servers, get their software tested and trace bugs that can lead to breaches – for free.
Konstantin Serebryany, or Kostya, is a Software Engineer at Google. Along with his MS, he holds a PhD from the Moscow State University of Economics, Statistics, and Informatics.
At Mountain View, CA, he and his team work on dynamic program analysis, and are responsible for the development of the AddressSanitizer, ThreadSanitizer, and libFuzzer testing tools. Currently, Kostya is handling the OSS-Fuzz project.