Fabian is a Software Engineer at Code Intelligence, where he develops fuzzing technologies with a special focus on memory-safe languages and OSS security. He led the efforts to open-source the Java fuzzer Jazzer and has since been its lead maintainer. He is also an avid contributor to other open-source projects such as Bazel, Chromium, and the Android Password Store. A mathematician by education, he always enjoys speaking at conferences and workshops.

Twitter: @fhenneke

LOCATION: Zürich
KEYWORDS: Hands-On, Lessons learned, Tools

SPEAKER: Fabian Meumertzheim   COMPANY: Code Intelligence
SLIDES: 220901_JUG.ch_Fuzzing-Workshop.pdf

A fuzzer is a tool that rapidly feeds generated data into a specified entrypoint of an application or library with the aim of triggering bugs and security issues. Large tech companies such as Microsoft and Google are relying on fuzzers more and more to automate finding security issues in their software. In 2019, Google found the majority of potential security issues in Chromium via fuzzing - over 18,000 bugs in total.

The aim of this workshop is to enable you to use fuzzing as a technique to test Java applications and libraries for bugs and vulnerabilities. After an introduction to the basic concepts of fuzzing, we will study real-world findings of the open-source Java fuzzer Jazzer in, among other projects, Google Protobuf, Apache Compress, and the OWASP JSON sanitizer.

Afterwards, we will gain hands-on experience with "fuzz tests", which are essentially parameterized unit tests with inputs generated automatically by the fuzzer. The first examples don't even require writing any code, but we will also go over more sophisticated approaches that can uncover deeper logic bugs and vulnerabilities.

The final part of the workshop will be held in "Bring Your Own Library" style: Attendees are encouraged to suggest open-source libraries they care about, among which we will pick some and jointly try to fuzz them. Who knows, maybe we will identify some yet unknown vulnerabilities? Just in case, the workshop will also cover the basics of ethical disclosure.

LEVEL OF TALK: Intermediate
LANGUAGE: Talk: en / Slides: en

Fabian is a Software Engineer at Code Intelligence, where he develops fuzzing technologies with a special focus on memory-safe languages and OSS security. He led the efforts to open-source the Java fuzzer Jazzer and has since been its lead maintainer. He is also an avid contributor to other open-source projects such as Bazel, Chromium, and the Android Password Store. A mathematician by education, he always enjoys speaking at conferences and workshops.

Twitter: @fhenneke

---