Explore the world of fuzzing in software development through this informative conference talk. Learn about this powerful automated vulnerability and bug-finding technique that has gained significant popularity in recent years. Discover essential tools and techniques used to secure hundreds of open source projects, including libFuzzer, AFL++, ClusterFuzz, and ClusterFuzzLite. Gain insights into OSS-Fuzz, a free service that has uncovered 40,000 bugs in critical open source projects, and Syzkaller and Syzbot for kernel fuzzing. Understand the evolution of fuzzing from early days to modern unittest-style approaches, and learn about sanitizers, non-C++ bugs, and coverage reports. Get practical advice on implementing a ClusterFuzz-style workflow, running full-scale infrastructure, and integrating fuzzing into your build process. By the end of this 39-minute talk, acquire the knowledge needed to enhance the security of your applications and dependencies using this essential testing technique.
Making Fuzzing Part of Your Software Development Lifecycle
Overview
Syllabus
Intro
Who Cares?
What is Fuzzing?
The Early Days
First Generation Fuzzers
Hacker Technique
Good Tests
Unittest-style Fuzzing
Sanitizers
Non-C++ Bugs: Denial of Service
Non-C++ Bugs: Differential Fuzzing
Non-C++ Bugs: Other Vulnerability Classes
Coverage Reports
How To Get a ClusterFuzz Style Workflow
Running Your Own Full Scale Infrastructure
ClusterFuzzLite: Build Integration
Smart Fuzzer Selection
Questions?
Taught by
Linux Foundation
