April 16, 2019
Daniel Domínguez Álvarez
Fuzzing has become a very interesting technique for finding bugs in computer programs. Since a few years back there is always at least one fuzzing paper in each big conference in systems security. In the industry is also a significant component of the software development cycle. In big companies like Google or Facebook fuzzing is used extensively across their products, like Chrome or Hack.
In this talk I present the problem of fuzzing targets with complex inputs like compilers and interpreters. I also present the work in progress of an approach for fuzzing interpreters of object oriented scripting languages like JavaScript. In this approach a fuzzer leverages on what is called Object Oriented Genetic Programming for targeting a specific part of the interpreter; the standard library. This libraries are usually implemented in native code for performance and, because of that, are interesting targets for fuzzing.
Along with the architecture of the fuzzer I also present the preliminary results of comparing my fuzzer with other fuzzers in the state of the art and the roadmap of the next steps.