Fuzzing Farm Monoculture Antipatterns – Are We Finding The Same Bugs?
Date: 15th Oct – TuesdayTime: 11:30-12:30Location: Ballroom A
AFL is a great tool, it allowed researchers to discover a wide range of important bug findings, so the merits of AFL are not out for debate here. Still, AFL also benefitted from importing ideas from formerly standalone fuzzing tools. Exchanging and evolving ideas between different tools is generally a good idea. However AFL invites the researcher to move from using their own machinery towards AFL, potentially abandoning the evolution of their own tools, stopping innovation. We will show how this upcoming monoculture leads to potential blind spots during fuzzing.
To practically test our hypothesis we applied dumb fuzzing and smart fuzzing concurrently to major command line tools from the Linux and MacOS world (oh git). With well chosen input corpora it was possible to find formerly unknown security relevant bugs in these tools. The race is currently open ended, while the dumb fuzzing tools have currently (six weeks before HITB) found more bugs in these tools than AFL. However this may change until we meet in Abu Dhabi, so stay tuned.
But we are all researchers, what keeps our minds happy are the primarily the bugs, and not the history and approach how they were found. Therefore to wrap up the talk about a dozen of interesting scenarios will be shown as well as the coding skills that led towards those.