Fuzzing tools are frequently seen in big-name conferences, attached to big-name hacks and big-name hackers. Fuzzers are an incredibly useful offensive tool, and equally critical for a defensive player. But anyone who has tried to use these big-name fuzzers to secure their own software has seen how ineffective they can be. The fuzzing world is plagued with over-hyped and under-developed fuzzers that will suck the life out of anyone who dares try to sort through their waterlogged codebase. Meanwhile, commercial players stand by ready to support big businesses, but not open source. Commercial fuzzers may be good business, and their existence is a boon for the industry, but they are not sufficient for widespread security. They keep the power of fuzzing locked up for those willing to pay big bucks. And the closed source nature stamps out community, leaving each business to develop their own practices. In this talk, Joshua will provide a practical perspective on fuzzing, explore the hurdles confronting current open source tools and pave a path forward. Attendees will also receive an introduction to DIY fuzzers using modern frameworks.
Joshua Pereyda (Twitter: @jtpereyda) is a software engineer specializing in information and network security. He currently works in the critical infrastructure industry with employers heavily invested in software and hardware security. Among his passions are hacking, teaching kids to program, Netflix with his wife, and figuring out how he can get paid to do it all --legally. Joshua is the maintainer of boofuzz, a fork of the renowned Sulley fuzzing framework. He has a hole in his heart to pour into the open source hacking community.