Fuzzing Bay Area #2

Join us for the second Fuzzing Bay Area meetup!

Note: Per Facebook's physical security policies, attendees will be required to sign an NDA and bring a valid ID to check in to the venue.
==================================================================

Agenda:
6:30 – 6:55pm Registration + Networking
6:55 – 7:00pm Welcome
7:00 – 7:25pm Presentation 1 + Q&A
7:25 – 7:50pm Presentation 2 + Q&A
7:50 – 8:00pm Break
8:00 – 8:25pm Presentation 3 + Q&A
8:25 – 9:00pm Networking + Event Close
------------------------------------------------------------------

Presentation 1: "Fuzzing Adoption at Facebook"

Hasnain Lakhani, an Engineering Manager on the Product Security team working on dynamic analysis tools.

Abstract: There are a lot of resources on how to build and scale a fuzzing platform. There’s less information on how to build a sustained, larger-scale effort to get a whole organization onboard. Over the last 12-18 months, we built a centralized platform that all teams at Facebook can use. We will cover the history/motivation behind this work, and some principles to take into account while doing this. There will be interesting anecdotes on the engineering side (e.g. the power of copy-pastable commands); and war stories from the organizational side (convincing developers to become fuzzing advocates). We will share some of the things that worked for us and why, so listeners can tweak them for their organizations.
------------------------------------------------------------------

Presentation 2: "Expanding the Reach of Fuzz Testing"

Caroline Lemieux, a PhD candidate at UC Berkeley, advised by Koushik Sen, focusing around improving the correctness and reliability of software systems.

Abstract: Recently coverage-guided fuzz testing has gained huge traction in industry and academia thanks to its scalability and bug-finding power. However, due to its random-mutation-based input generation technique, coverage-guided fuzzing cannot reach far beyond the syntax analysis stage of programs. In this talk, I will introduce several projects expanding the reach of fuzz testing. First, I will introduce our work allowing fuzz testers to find inputs triggering a wider variety of interesting (bad) behaviors, including performance bottlenecks, excess memory allocations, and exercising program diffs (PerfFuzz, FuzzFactory). Then, I will describe how our work on smartly controlling mutations---either by direct masking (FairFuzz) or by way of input generators (Zest)---helps fuzzers produce inputs that exercise (and expose bugs in) the core logic of the program.
------------------------------------------

Presentation 3: "Your Browser is my Fuzzer: Fuzzing Native Applications in Web Browsers"

Jonathan Metzman, works on the Chrome security team where he writes fuzzers and fuzzing infrastructure (ClusterFuzz and OSS-Fuzz).

Abstract: Through WebAssembly and Emscripten, many important native applications, like SQLite, can run in virtually all web browsers (including Chrome, Edge, Firefox, and Safari). This makes it possible to fuzz native applications in web browsers using familiar fuzzing tools such as libFuzzer and ASAN.

This talk will:
- Demo in-browser fuzzing on real programs like SQLite.
-- Viewers can participate by fuzzing the applications in their own browsers.
- Help users fuzz their own native applications in-browser by:
-- Releasing the tools needed to do so.
-- Teaching them how to fuzz applications in-browser.
- Explore some use cases for in-browser fuzzing.
-- In particular, how it can enable the dream of crowdsourced fuzzing.
- Explain how technologies that allow for in-browser fuzzing, such as WebAssembly, work.
-- This will be geared towards developers familiar with fuzzing and not web programming.
-- This will touch on the changes to libFuzzer that were needed to support in-browser fuzzing.

------------------------------------------
Talks from the first meetup are available at https://github.com/MotherFuzzers/meetups.