Fuzzing Java with Jazzer

Speaker: Fabian Meumertzheim
Recorded: 2022-04-26

00:00 Intro
03:15 The Talk
57:46 Questions & Answers

Large tech companies such as Microsoft and Google are relying on fuzzers more and more to automate finding security issues in their software. In 2019, Google found the majority of potential security issues in Chromium via fuzzing – over 18,000 bugs in total.

Here, a fuzzer is a tool that rapidly feeds generated data into a specified entrypoint of an application or library with the aim of triggering bugs and security issues. Modern fuzzers use sophisticated instrumentation techniques to receive information about the code they execute and mutate the input data accordingly.

In this session, you will learn the basic concepts behind fuzzing and get to know Jazzer, a state-of-the-art fuzzer for JVM-based languages, via real world examples. Whether it’s bypassing an XSS sanitizer, making servers grind to a halt with very small protobuf messages, or even reproducing Log4Shell, you will see how easy it is to automatically search for security issues and bugs in open-source libraries.

Fabian is a software engineer at Code Intelligence, where he focuses on the development of fuzzing technologies with a special focus on memory-safe languages and OSS security. He led the efforts to open-source the company’s Java fuzzer Jazzer and has since been its lead maintainer. He is also an avid contributor to other open-source projects such as Bazel, Chromium, and the Android Password Store. A mathematician by education, he always enjoys speaking at conferences and workshops.

Twitter: @fhenneke

Organized by: Java User Group Switzerland
https://www.jug.ch/