Writing a Fuzzer for Any Language with American Fuzzy Lop

ShmooCon XV - 2019

Presented by: Ariel Zelivansky
Date: Saturday January 19, 2019
Time: 10:00 - 10:50
Location: Build It Room
Track: Build It

American fuzzy lop (afl) is one of the most prominent tools used for fuzz testing nowadays. Many critical security issues found in widespread programs are attributed to afl.

For efficient fuzzing afl requires compiling source code, to which it adds its instrumentation bits. This requires code that gcc or clang can compile, generally C/C++ code. It is possible, however, to hack afl into fuzzing any code or language, even interpreted languages such as Python or Ruby.

In the talk we will dive into the internals of afl and walk through the steps needed to write an afl interface to fuzz any programming language. The Ruby language will be used as an example, based on my work on Kisaten (https://github.com/zelivans/kisaten), a ruby fuzzing tool which is responsible for the findings of various bugs in ruby gems and the ruby standard library.

Ariel Zelivansky

Ariel Zelivansky is a security researcher and the head of Twistlock’s research team (https://www.twistlock.com/labs), dealing with hacking and securing anything related to containers.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats