1
play

1 FuzzCon Europe 2020 2018 2019 2020 Started as a meetup FuzzCon - PowerPoint PPT Presentation

Jul 05, 2023 •4.92k likes •5.32k views

1 FuzzCon Europe 2020 2018 2019 2020 Started as a meetup FuzzCon Europe 2019 - FuzzCon Europe 2020 - Whats all the Fuzz About? Fuzz Your Software 2 Code Intelligence Hosting FuzzCon Europe 2020 Code Intelligence Sergej Dechand CEO

  1. 1

  2. FuzzCon Europe 2020 2018 2019 2020 Started as a meetup FuzzCon Europe 2019 - FuzzCon Europe 2020 - What’s all the Fuzz About? Fuzz Your Software 2

  3. Code Intelligence Hosting FuzzCon Europe 2020 Code Intelligence Sergej Dechand CEO & Co-Founder Vision: Easier access to modern Usable Security Background software testing techniques for everyone www.code-intelligence.com 3

  4. Code Intelligence Team 4

  5. What is Fuzzing? 1. Oh yes, I heard about fuzzy logic in university 2. Just testing with random inputs 3. I want to use fuzzing ASAP 5

  6. Participants of FuzzCon Europe 6

  7. Evolution of Software Testing Manual testing Static analysis Modern Fuzzing Techniques: Techniques: Techniques: Code reviews, manual Pattern search: CFG, DDG Coverage-guided fuzzing checks & exploitations Advantage: Advantage: Works without running Advantages: Finds deep bugs Finds lots of bugs! Disadvantage: (Almost) no false positives Disadvantage: Finds too much or nothing Time-consuming, needs at all experts to conduct 7

  8. Fuzz Testing in Security Research Automated Software Testing is an almost solved problem: Fuzzing + Symbolic Code Execution Ain’t nobody got time for that 8

  9. Fuzzing in Large Scale Tech Leaders find 80 % of their bugs with FUZZING 1 800 11 687 19 789 16 108 5 200 9

  10. Early Random Testing Random Punch Cards System under Test 1960s 10

  11. Fuzz it like it’s 89 Random Inputs Fuzzer System under Test 1989 11

  12. Unit Testing and Dumb Fuzzing Random Mutations Image Parser Data from Unit Tests 12

  13. Modern Fuzzing Using Instrumentation for a Feedback Loop coverage information, executed paths, program states Smart Mutations 0x(FF D8 FF DB) 0 Instrumented Image Parser 13

  14. 14

  15. Human Aspects Developer Acceptance ○ Developer acceptance when setting up the first time ○ Not all bugs are equal ○ NIH Learning Curve ○ How to deal with new technology ○ Understand new concepts 15

  16. 16

  17. Development Processes / Corporate Aspects ● Scalable fuzzing infrastructure finding security and stability issues in software Unit Tests? We can’t do that here! ● Google uses ClusterFuzz to fuzz the Chrome Browser / OSS-Fuzz 17

  18. 18

  19. Structure Awareness 19

  20. Structure Awareness Structure Awareness 20

  21. Further Issues to do “Deep Fuzzing” 21

  22. Further Issues to do “Deep Fuzzing” 22

  23. Web Applications Most-Common Use Cases: Web Services ● REST + URL-Encoded ● Protobuf OWASP Top 10 ● Black-box approaches (OWASP Zap, etc) ● Guided fuzzing just starting for Java etc. 23

  24. Structure Awareness Structure Awareness 24

  25. Fuzzing in the Industry “With Code Intelligence, securing your “Code Intelligence enables us to easily “Such software security testing software can take new paths in terms integrate alternative automated approaches have uncovered of quality and efficiency.” approaches to ensure quality.” vulnerabilities in open source projects.” Thomas Tschersich // Chief Security Officer // Helge Harren // SVP Application Development Rakshith Amarnath // Project Lead // Deutsche Telekom AG Trading // Deutsche Börse AG Bosch Corporate Research and more 25

  26. Conclusion 1. Fuzzing superior 2. Get’s traction in practice 3. Today: Talks from fuzzing experts tackling challenges “ With the Open Bosch Award, we honor the best startup collaboration worldwide. ” 26 - Dr. Michael Bolle, CTO Bosch

Recommend

More recommend