This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Here’s the schedule for this year. Registering here does not count. You MUST register to attend any of these. You may register here: https://www.bsidesslc.org/registration.html

You cannot manually add workshops to your schedule. You need to go register for them at https://www.bsidesslc.org/signup.html, and then the workshp will be added to your schedule.
View analytic
Thursday, March 9 • 4:30pm - 5:30pm
The Aftermath of a Fuzz Run: What to do about those crashes?
Feedback form is now closed.
Fuzzing is a highly effective means of finding security vulnerabilities - new, easy to use and highly effective fuzzers such as American Fuzzy Lop and libFuzzer have driven its increased popularity. Once a fuzz run has found cases that crash the target application, each must be reduced, triaged and the root cause found to enable a fix. In this presentation, David Moore will describe tools, tactics and techniques for performing post fuzz run analysis on the resulting crashes with the goal of fixing the vulnerabilities.
 The first section of the talk will introduce/review fuzz testing and memory corruption bugs. Then a complete crash triage/root cause analysis workflow will be outlined including the use of corpus and test case minimizers, debuggers and reverse debuggers and automated memory analysis and crash triage tools such as Valgrind memcheck, Crashwalk, and Address Sanitizer. Finally, examples of memory corruption bugs of varying degrees of exploitability will be presented.
 This talk is suitable for anyone with some C programming experience and an interest in using fuzzers to find security vulnerabilities. Attendees will learn how to effectively analyze, triage and fix crashing cases.


David Moore

CEO, Fuzz Stati0n
David Moore is founder and CEO of Fuzz Stati0n. He has been involved in software development and security for the past 20 years, working with NeXT, Apple, Weblogic and Azul Systems. David's trophy case includes public recognition from Google, Twitter, Netflix, Linux, Ruby, Python, and PHP. Fuzz Stati0n was founded to improve security for everyone. David has extensive speaking experience giving technical presentations and training to... Read More →

Thursday March 9, 2017 4:30pm - 5:30pm
Track 1 Salt Palace Convention Center

Attendees (24)

Twitter Feed