DATA MINER: Jaanus Kääp - Automated fuzz testing of closed source applications based on the code cov HD

TestCon Vilnius 2016. Software Testing & QA Conference. October 21, 2016 | Automated fuzz testing of closed source applications based on the code coverage (corpus distillation)With constantly improving development environments and software, it should become harder and harder to find new security issues without diving very deep into the implementation or inventing new fuzzing techniques. But reality is not reflecting this assumption. With zero knowledge of the protocol/format, the attacker can often find new issues by simple method like bit flipping combined with smart file selection. And this works even against largest vendors!That simple method was used by the author of this talk, to find tens of vulnerabilities in many document readers (by vendors like Adobe, Apple, Microsoft etc) without any knowledge in file formats themselves and minimal resources. The talk focuses on the method and the tool development for such vulnerability research.