Version SHA2017 20170620
lecture: Improving security with Fuzzing and Sanitizers
Free and open source software has far too many security critical bugs.
A bug in Gstreamer could be used to own a Linux Desktop system. TCPDump released a security update fixing 42 CVEs. We have far too many security critical bugs in the free and open source software stack. But we have powerful tools to find them - we just have to use them.
In 2014 the speaker started the Fuzzing Project. This was motivated by the fact that for many free and open source software tools it's trivial to find memory corruption bugs with fuzzing tools.
Fuzzing is the idea of testing software by feeding it with malformed inputs. Modern coverage-based fuzzing tools like american fuzzy lop and libfuzzer are vastly more powerful than previous approaches. Combined with compiler features like address sanitizer they give us powerful ways to improve the security of our software.
Start time: 20:50