Keeping the wolves out of wolfSSL - https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/
The Trail of Bits Blog
Keeping the wolves out of wolfSSL
Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service…
🔥3
Comparative fuzzing parallel Rust tools - https://medium.com/@adetaylor/comparative-fuzzing-parallel-rust-tools-fac5ce9c9c2d
Medium
Comparative fuzzing parallel Rust tools
I previously wrote about how we can use Rust’s “fearless concurrency”, resulting in a tool called ripunzip. (Here are some performance…
❤1👍1
Registered Report: Dissecting American Fuzzy Lop: A FuzzBench Evaluation - https://www.s3.eurecom.fr/docs/fuzzing22_fioraldi_report.pdf
🔥2
Detecting Excessive Data Exposures in Web Server Responses with Metamorphic Fuzzing - https://arxiv.org/pdf/2301.09258.pdf
🔥1
A Framework for Feedback-Enabled Blackbox Fuzzing Using Context-Free Grammars - https://www.diva-portal.org/smash/get/diva2:1729911/FULLTEXT01.pdf
Taking the next step: OSS-Fuzz in 2023 - https://security.googleblog.com/2023/02/taking-next-step-oss-fuzz-in-2023.html
Google Online Security Blog
Taking the next step: OSS-Fuzz in 2023
Posted by Oliver Chang, OSS-Fuzz team Since launching in 2016 , Google's free OSS-Fuzz code testing service has helped get over 8800 vul...
👍5
LibAFL 0.9.0 is out - https://github.com/AFLplusplus/LibAFL/releases/tag/0.9.0
GitHub
Release 0.9.0 · AFLplusplus/LibAFL
Highlights
Userspace snapshot-fuzzing using libafl_qemu
QEMU system mode fuzzing with fast snapshots
Tuneable Stage, Scheduler, ScheduledMutator to change behavior on the fly
Differential observer...
Userspace snapshot-fuzzing using libafl_qemu
QEMU system mode fuzzing with fast snapshots
Tuneable Stage, Scheduler, ScheduledMutator to change behavior on the fly
Differential observer...
🔥4
Reachable Coverage: Estimating Saturation in Fuzzing - https://mboehme.github.io/paper/ICSE23.Effectiveness.pdf
🔥1
Research for Practice: The Fun in Fuzzing - https://queue.acm.org/detail.cfm?id=3580504
👍1
Icicle: A Re-Designed Emulator for Grey-Box Firmware Fuzzing - https://arxiv.org/pdf/2301.13346.pdf
👍1
Fuzzers for stateful systems: Survey and Research Directions - https://arxiv.org/pdf/2301.02490.pdf
🔥2
Behind the Scenes: How we are securing our new PDF stack - https://microsoftedge.github.io/edgevr/posts/How-we-are-securing-our-new-PDF-stack/
Microsoft Browser Vulnerability Research
Behind the Scenes: How we are securing our new PDF stack
As we recently published on the Microsoft Edge Dev blog, Adobe and Microsoft are enhancing the PDF experience and value users have come to expect in Microsoft Edge. Adobe brings an unrivalled breadth of experience in the PDF space, and we are looking forward…
👍3
Harness the Power of Cannoli: Implementing a Program Backtrace - https://margin.re/2023/02/harness-the-power-of-cannoli/
Margin Research
Harness the Power of Cannoli: Implementing a Program Backtrace
So, you’ve heard about Cannoli, the high-performance tracing engine, but don’t know where to start. Perhaps you read the source code but don’t understand how to implement your analysis. Or maybe you’re someone who learns by example and finds inspiration in…
🔥1
Can sanitizers find the two bugs I wrote in C++? - https://ahelwer.ca/post/2023-02-07-cpp-bugs-sanitized/
Andrew Helwer
Can sanitizers find the two bugs I wrote in C++?
A few days ago I published a short post about two bugs I wrote while developing the C++ external scanner for my TLA⁺ tree-sitter grammar.
Reactions were mixed!
Many people were supportive, but there …
Reactions were mixed!
Many people were supportive, but there …
Fuzzing ATM/POS protocols like a Boss - https://www.linkedin.com/pulse/fuzzing-atmpos-protocols-like-boss-karim-reda-fakhir/?published=t
Linkedin
Fuzzing ATM/POS protocols like a Boss
Context Generally Buffers overflow family targets common protocols like HTTP,SMB,FTP,… ; indeed there is lack of papers, tools, exploits targeting financial/payment protocols like NDC and ISO8385. In this article I present two fuzzers for the protocols ISO8385…
👍2
Fuzzing Solidity/Ethereum Smart Contract using Foundry/Forge - https://youtu.be/2bTmB3cwhxs
YouTube
Fuzzing Solidity/Ethereum Smart Contract using Foundry/Forge
📥 Download source code and materials: https://academy.fuzzinglabs.com/introduction-to-ethereum-security?coupon=YOUTUBE
In this video, I will show how to run and customize Foundry/Forge to fuzz an Ethereum smart contract in Solidity. I will also mention…
In this video, I will show how to run and customize Foundry/Forge to fuzz an Ethereum smart contract in Solidity. I will also mention…
👍4
One Weird Trick to Improve Bug Finding With ASAN - https://landaire.net/one-weird-asan-trick/
landaire.net
One Weird Trick to Improve Bug Finding With ASAN
A light exploration into how abstractions harm ASAN's effectiveness
👍3
cURL audit: How a joke led to significant findings - https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/
The Trail of Bits Blog
cURL audit: How a joke led to significant findings
In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. The project coincided with a Trail of Bits maker week, which meant that we had more manpower than we usually…
❤1👍1
The Hunt for CVE-2023-0286: Replicating OpenSSL's Latest Vulnerability - https://www.youtube.com/watch?v=_sh7qUUx9eo
YouTube
The Hunt for CVE-2023-0286: Replicating OpenSSL's Latest Vulnerability
In this video, we take a deep dive into the recently discovered vulnerability in #OpenSSL, #CVE-2023-0286. We'll show you how to replicate the vulnerability using OpenSSL's test case, and walk through the steps taken to fix the issue.
We'll also cover how…
We'll also cover how…
👍1