Using Next Generation Fuzzing Tools: Fixing Bugs and Writing Memory Corruption Exploits

The process of fuzzing has changed, from multation, to frameworks, to the constraint solving (CS) and genetic algorithms (GA) of today. While pre-written suites and custom one-offs can be great, GAs (AFL/Clusterfuzz) and CS (Sage/MSRD) often do the best - and we’ll drop serious vulns in this talk to prove it. These tools are paired best with scale - fuzzing-as-a-service (FaaS). It’s time to exposure your code before attackers do. But it’s still not a perfectly simple endeavor. We will explain harnesses; how to pick seeds; which portions of the app to target, CI/CD, and much more. We’ll look at an exciting, new DAST tool: microsoftsecurityriskdetection.com. From there we’ll teach you how to turn the bugs into fixes, or exploits. Excitingly, you'll learn how to write 0day from results.

Presented by