Lingolol

danzinAnother tidbit from the report I'm writing about <a href="https://mastodon.social/tags/fusil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fusil</a>:The 52 issues filled correspond roughly to 30% of all the crashes (issues with "type-crash" label) and 2% of all issues (features requests, bugs and invalid issues) reported in the <a href="https://mastodon.social/tags/CPython" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CPython</a> issue tracker during the six months period covered by the report.Hits and new issues don't appear at a steady pace. It seems that there are long periods of no or nearly no new issues, followed by rapid finding of new results.<a href="https://mastodon.social/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> <a href="https://mastodon.social/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a>

danzin<a href="https://mastodon.social/tags/Fusil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fusil</a> works by generating source files with random calls, using interesting arguments, then monitoring their execution and output. It usually finds crashes resulting from the processing of invalid objects and unexpected call patterns.Fusil was created by <a href="https://mamot.fr/@vstinner" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@vstinner</a>.Features added by me include running generated code in parallel threads, testing class instances in addition to classes and functions, and using new interesting objects/values as inputs.<a href="https://github.com/issues/created?q=is%3Aissue%20author%3Adevdanzin%20-repo%3Adevdanzin%2Ffusil%20fusil%20%20sort%3Acreated-asc" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/issues/created?q=is%3Aissue%20author%3Adevdanzin%20-repo%3Adevdanzin%2Ffusil%20fusil%20%20sort%3Acreated-asc</a><a href="https://mastodon.social/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> <a href="https://mastodon.social/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a>

danzinWriting about <a href="https://mastodon.social/tags/fusil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fusil</a>. Some bits:Fuzzing <a href="https://mastodon.social/tags/CPython" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CPython</a> with fusil shows it to be a valuable tool for finding and fixing crashers. It started in October 2024 and is ongoing, using free tier cloud instances and personal computers.Results: - Fuzzing time: > 25.000 hours - Fuzzing sessions: > 1.000.000 - Hits: > 50.000 - Issues filled: 52The original design of fusil makes it well-suited for fuzzing CPython, finding both deep, relevant bugs as well as shallow, low value crashes.<a href="https://mastodon.social/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> <a href="https://mastodon.social/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a>

Stefano ZacchiroliMy colleagues at CEA in <a href="https://mastodon.xyz/tags/Paris" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Paris</a>, France, are hiring a 2-year <a href="https://mastodon.xyz/tags/postdoc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#postdoc</a> to work on the joint research project <a href="https://mastodon.xyz/tags/SECUBIC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SECUBIC</a> about <a href="https://mastodon.xyz/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> binaries to identify <a href="https://mastodon.xyz/tags/backdoors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#backdoors</a>. (See this recently joint work at <a href="https://mastodon.xyz/tags/ICSE2025" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ICSE2025</a> for previous results: <a href="https://upsilon.cc/~zack/research/publications/icse-2025-rosa-fuzzing.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://upsilon.cc/~zack/research/publications/icse-2025-rosa-fuzzing.pdf</a> )If you're interested, or know interested candidates, head to: <a href="https://secubic-ptcc.github.io/jobs/open/2025/04/02/postdoc-supply-chain-binary-fuzzing.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://secubic-ptcc.github.io/jobs/open/2025/04/02/postdoc-supply-chain-binary-fuzzing.html</a> for details.<a href="https://mastodon.xyz/tags/getfedihired" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#getfedihired</a>

danzinDo you maintain or contribute to a <a href="https://mastodon.social/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> package that includes a C extension? Would you like to run a fuzzer against it?If so, let me know and I will run it, or help you to get it running. The fuzzer is <a href="https://mastodon.social/tags/fusil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fusil</a>, which generates random code calling into your functions and methods. It's useful to check for crashes on invalid inputs or unexpected call patterns.It has found about 50 crashes in <a href="https://mastodon.social/tags/CPython" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CPython</a>, 20 in <a href="https://mastodon.social/tags/PyPy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PyPy</a>, 6 in <a href="https://mastodon.social/tags/Numpy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Numpy</a> etc.<a href="https://mastodon.social/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> <a href="https://mastodon.social/tags/fuzzer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzer</a> <a href="https://mastodon.social/tags/testing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#testing</a> See here: <a href="https://github.com/devdanzin/fusil/issues/37" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/devdanzin/fusil/issues/37</a>

Karol MazurekHow a simple <a href="https://infosec.exchange/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> payload bypassed entitlement check and triggered a <a href="https://infosec.exchange/tags/kernel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#kernel</a> panic on <a href="https://infosec.exchange/tags/macOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#macOS</a> in the IOMobileFramebuffer driver. Patched in 15.4. Enjoy!<a href="https://afine.com/case-study-iomobileframebuffer-null-pointer-dereference/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://afine.com/case-study-iomobileframebuffer-null-pointer-dereference/</a><a href="https://infosec.exchange/tags/RE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RE</a>, <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Vulnerability</a> <a href="https://infosec.exchange/tags/Research" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Research</a> <a href="https://infosec.exchange/tags/PoC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PoC</a>

Karol Mazurek🚀 New blog post! 🚀Deep dive into a <a href="https://infosec.exchange/tags/macOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#macOS</a> IONVMeFamily <a href="https://infosec.exchange/tags/driver" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#driver</a> Denial of Service issue! It is not a security risk but a great case study for macOS driver analysis.🕵️‍♂️Enjoy! <a href="https://infosec.exchange/tags/RE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RE</a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Vulnerability</a> <a href="https://infosec.exchange/tags/Research" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Research</a> <a href="https://infosec.exchange/tags/Kernel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Kernel</a> <a href="https://infosec.exchange/tags/Fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fuzzing</a> <a href="https://infosec.exchange/tags/PoC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PoC</a><a href="https://afine.com/case-study-analyzing-macos-ionvmefamily-driver-denial-of-service-issue/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://afine.com/case-study-analyzing-macos-ionvmefamily-driver-denial-of-service-issue/</a>

danzinWe're up to 30 <a href="https://mastodon.social/tags/CPython" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CPython</a> crashers found using <a href="https://mastodon.social/tags/Fusil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fusil</a> this year, about 90% of them considered valid.In 2008, I had reported 5 cases using the same <a href="https://mastodon.social/tags/fuzzer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzer</a>, 4 of which were release blockers.<a href="https://mamot.fr/@vstinner" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@vstinner</a>, Fusil's creator, also reported a bunch of issues with it.After running for a while (on free AWS and Oracle cloud tiers), crash hits are getting harder to find.We need new fuzzing inputs. Feel free to suggest improvements that could find new crashers.<a href="https://github.com/devdanzin/fusil" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/devdanzin/fusil</a> <a href="https://mastodon.social/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> <a href="https://mastodon.social/tags/Fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fuzzing</a>

postmodernTIL there is an actual RFC for URL template syntax. Every web fuzzing tool should be using RFC 6570 instead of whatever bespoke syntax they came up with (looking at you wfuzz). <a href="https://datatracker.ietf.org/doc/html/rfc6570" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://datatracker.ietf.org/doc/html/rfc6570</a><a href="https://infosec.exchange/tags/rfc6570" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#rfc6570</a> <a href="https://infosec.exchange/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a>

Marcel WaldvogelAch ja: Kurzversion der Erkenntnisse und Versprechungen von <a href="https://waldvogel.family/tags/CrowdStrike" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CrowdStrike</a>: 1️⃣ Wir (das Internet und DNIP) lagen erstaunlich gut bei der Analyse der Ursachen 2️⃣ Sie setzen Etliches von dem um, was mein Artikel fordert: Bessere Tests (inkl. <a href="https://waldvogel.family/tags/Fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fuzzing</a>) von Software, gründlichere Validierung der Daten beim Laden sowie <a href="https://waldvogel.family/tags/StagedRollout" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#StagedRollout</a> (vom Kunden zu steuern; mit Feedback)Aktuelle Kunden, die bei CrowdStrike bleiben wollen (und potenzielle Neukunden) sollten das aber überprüfen. <a href="https://dnip.ch/2024/07/23/zweites-crowdstrike-verhindern/#pir" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://dnip.ch/2024/07/23/zweites-crowdstrike-verhindern/#pir</a>

0xor0neIntroduction to crafting custom fuzzers with LibAFL<a href="https://www.atredis.com/blog/2023/12/4/a-libafl-introductory-workshop" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.atredis.com/blog/2023/12/4/a-libafl-introductory-workshop</a>Credits Jordan Whitehead<a href="https://infosec.exchange/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a>

pearlHello everyone :)Since it seems to be a requirement, here is my <a href="https://infosec.exchange/tags/introduction" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#introduction</a> for anyone willing to follow a full-time lurker o_o - I do <a href="https://infosec.exchange/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> research, and this will make up most of what I post here - I live in Germany Please do not follow if you cannot be kind :) I will likely mistype things or be overly passionate sometimes ._.

Yee Ching :verified:Together with Matheus Garbelini, <a href="https://mastodon.social/@sudiptac" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@sudiptac</a> will present <a href="https://infosec.exchange/tags/5Ghoul" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#5Ghoul</a> (<a href="https://github.com/asset-group/5ghoul-5g-nr-attacks" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/asset-group/5ghoul-5g-nr-attacks</a>) at <a href="https://infosec.exchange/tags/DEFCON32" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DEFCON32</a> demo labs. Over a two-hour session, join them to see the capability of 5G NR fuzzing tool and live over-the-air attacks on 5G smartphones. <a href="https://infosec.exchange/tags/5G" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#5G</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/wireless" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wireless</a> <a href="https://infosec.exchange/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> <a href="https://infosec.exchange/tags/SUTD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SUTD</a> <a href="https://infosec.exchange/tags/ASSETGroup" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ASSETGroup</a>

buheratorA Bug Hunter’s Reflections on Fuzzing by <a class="u-url mention" href="https://infosec.exchange/@a13xp0p0v" rel="nofollow noopener noreferrer" target="_blank">@a13xp0p0v</a> <a href="https://a13xp0p0v.github.io/img/Alexander_Popov-Reflections_on_Fuzzing.pdf" rel="nofollow noopener noreferrer" target="_blank">https://a13xp0p0v.github.io/img/Alexander_Popov-Reflections_on_Fuzzing.pdf</a> <a class="hashtag" href="https://infosec.place/tag/fuzzing" rel="nofollow noopener noreferrer" target="_blank">#Fuzzing</a>

Gamozo's Streaming PalaceGamozo is streaming!Tibia formula reverse engineering with high-perf wayland screen capture<a class="hashtag" href="https://directory.owncast.online/tags/fuzzing" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> <a class="hashtag" href="https://directory.owncast.online/tags/hacking" rel="nofollow noopener noreferrer" target="_blank">#hacking</a> <a class="hashtag" href="https://directory.owncast.online/tags/osdev" rel="nofollow noopener noreferrer" target="_blank">#osdev</a> <a class="hashtag" href="https://directory.owncast.online/tags/programming" rel="nofollow noopener noreferrer" target="_blank">#programming</a> <a class="hashtag" href="https://directory.owncast.online/tags/rust" rel="nofollow noopener noreferrer" target="_blank">#rust</a> <a class="hashtag" href="https://directory.owncast.online/tags/rant" rel="nofollow noopener noreferrer" target="_blank">#rant</a><a href="https://stream.bfa.lk" rel="nofollow noopener noreferrer" target="_blank">https://stream.bfa.lk</a>

Gamozo's Streaming PalaceGamozo is streaming!Tibia formula reversing through screen scraping<a class="hashtag" href="https://directory.owncast.online/tags/fuzzing" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> <a class="hashtag" href="https://directory.owncast.online/tags/hacking" rel="nofollow noopener noreferrer" target="_blank">#hacking</a> <a class="hashtag" href="https://directory.owncast.online/tags/osdev" rel="nofollow noopener noreferrer" target="_blank">#osdev</a> <a class="hashtag" href="https://directory.owncast.online/tags/programming" rel="nofollow noopener noreferrer" target="_blank">#programming</a> <a class="hashtag" href="https://directory.owncast.online/tags/rust" rel="nofollow noopener noreferrer" target="_blank">#rust</a> <a class="hashtag" href="https://directory.owncast.online/tags/rant" rel="nofollow noopener noreferrer" target="_blank">#rant</a><a href="https://stream.bfa.lk" rel="nofollow noopener noreferrer" target="_blank">https://stream.bfa.lk</a>

matthiaskrgr<a href="https://chaos.social/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> is great because it combines the thrill of mining cryptocurrency with the chance of actually finding something useful.

Hans-Christoph Steiner"This bug also shows that we have an over-reliance on <a href="https://social.librem.one/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote <a href="https://social.librem.one/tags/exploit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#exploit</a> attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed." <a href="https://blog.isosceles.com/the-webp-0day/" rel="nofollow noopener noreferrer" target="_blank">https://blog.isosceles.com/the-webp-0day/</a> <a href="https://social.librem.one/tags/libwebp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#libwebp</a> <a href="https://social.librem.one/tags/WebP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WebP</a>

Federico Mena QuinteroAre you a <a href="https://mstdn.mx/tags/rustlang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#rustlang</a> <a href="https://mstdn.mx/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> nerd? Would you be able to help with fuzzing librsvg?<a href="https://gitlab.gnome.org/GNOME/librsvg/-/issues/1018" rel="nofollow noopener noreferrer" target="_blank">https://gitlab.gnome.org/GNOME/librsvg/-/issues/1018</a> has a bunch of tasks that I'd love for someone to explore.

hardik05I will be giving two days training on fuzzing on 14-15th august at <a href="https://defcon.social/@defcon" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@defcon</a>, register now: <a href="https://training.defcon.org/products/hardik-shah-mastering-fuzzing-a-comprehensive-training-on-identifying-vulnerabilities-in-software" rel="nofollow noopener noreferrer" target="_blank">https://training.defcon.org/products/hardik-shah-mastering-fuzzing-a-comprehensive-training-on-identifying-vulnerabilities-in-software</a> <a href="https://infosec.exchange/tags/defcon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#defcon</a> <a href="https://infosec.exchange/tags/fuzzing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fuzzing</a> <a href="https://infosec.exchange/tags/training" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#training</a>

Recent searches

Search options

Administered by:

Server stats:

#fuzzing