Recent @andrei Activity
Fuzzing Grub, part 2: Going Faster
1 points • 1 comments
Should add the date to the title: (2017)
No reason to be ashamed, it's still a fairly niche concept. We're huge fans of it though. We'll definitely be writing an in-depth post about it in the coming weeks/months.
>Sure, but one thing I don’t understand is why fuzzing is not used more often for testing basically any pure function [...]
Agreed 100%, and is actually what we encourage people to do. Since this is an intro article though, we wanted to keep things simple, and everyone understands the danger in accepting inputs over a trust boundary. Your suggested method is what the fuzzing community calls differential fuzzing . It’s been incredibly effective at finding bugs in crypto libraries , and is currently being used to fuzz different Ethereum node implementations . There are other ways you can fuzz functions, and we sort of hint at this in the post when we say:
“If you can define a property that must hold true for any given input (also called an invariant), then the fuzzer will look for inputs that break your invariant”.
Usually this translates into writing assertions the same way you might when you’re writing property-based tests . In fact, I think the fuzzing community has a lot to learn from property based testing. These are more advanced topics though, that we hope to cover in a later post, and why we omitted these details from this one.
>This list of issues seems sort of manufactured [...]
Developer friendliness means different things to different people depending on their area of expertise, years of experience, or interest levels. While the list may seem manufactured, we’ve found that unfriendly tooling and uncertainty about what to tackle first can turn developers off even trying to write a fuzz test at all. Understanding what makes a good fuzz test, instrumenting your code properly, running many fuzz tests at scale, and triaging and interpreting the results of a fuzzing run can make fuzzing prohibitively difficult for a new engineer to set up. This is what we’re focused on solving.
>Advertising a product without saying anything about it is off-putting to me [...]
Fair enough. Fuzzbuzz isn’t quite ready for public access yet, so that’s why we’re a bit vague here, but the intention was not to advertise our product (and is why we only wrote a couple paragraphs at the bottom). We were just excited to write a post about fuzz testing, and figured anyone who’s interest was really piqued could get in touch. We hope to expand this post and use this as an educational resource long-term.
Argh, this is the paper I meant to link: https://arxiv.org/pdf/2008.06537.pdf
(Updated the above comment as well)
Basic fuzzers can surprisingly go a long way. Barton Miller (the professor who first coined the term fuzzing), actually wrote a paper last year  where he just ran a very basic fuzzer against a bunch of common UNIX tools. Even after all these years of testing/usage, they still managed to find a ton of issues.
What Is Fuzz Testing?
72 points • 20 comments
literally dozens of us!
I believe they use libfuzzer to test isolated components , but seems like they wanted to specifically focus on browser fuzzing for this post (it's probably more interesting, too).
Fuzzbuzz | Full Stack Engineer (Typescript/Go) | $125k-145k + 0.25%-0.5% | SF Bay (Redwood City) | https://fuzzbuzz.io
Fuzzbuzz is hiring a full stack engineer (true full stack, not just frontend) to help build our fuzzing as a service platform. Backend is 100% Go and frontend is your choice (currently Angular, but open to letting you rewrite it), since you'd completely own it. 60/40 backend/frontend work split. Production experience writing frontend code is a must, but no Go experience required.
We're a team of 5 - 4 engineers, 1 designer. The team is very technical (founding engineers have 20+ years of experience each), which allows us to iterate quickly using technologies that solve problems, rather than flavor of the month tech (stack is Go, Typescript, Postgres, Nginx, Linux).
More info here: https://angel.co/company/fuzzbuzz/jobs/853711-full-stack-eng...
Send me an email with your resume: andrei [at] fuzzbuzz [dot] io
whats the best way to contact you?
Fuzzbuzz | Fuzzing Engineer (second engineer) | $150k-$180k + equity | Location TBD - South Bay, CA | Full-Time | ONSITE | YC W19
We're Fuzzbuzz (https://fuzzbuzz.io) and we're building a fuzzing as a service platform that integrates into CI systems and the modern SDLC.
We recently raised a $2.7M seed round  and we're looking to hire a Fuzzing Engineer to work full-time on, and own the technical direction of, a brand new state of the art fuzzing engine. A lot of research has been done in this space, but very little of it provides real benefits over AFL/Libfuzzer. We're building a fuzzer that works with real-world applications written in modern languages and will significantly change the role fuzzing plays in the SDLC.
We're currently 4 people, so we don't have any hard requirements, but the ideal person looks something like:
- Go/C/C++ experience (2+ years)
- Knowledge of or capability to learn advanced fuzzing techniques and optimizations
- Interest/experience with distributed systems, systems level programming and compilers
- Ability & desire to take full ownership of a product and define a new paradigm of software testing
Contact: firstname.lastname@example.org - include "Hacker News" in the subject.
We sort of picked the name as a joke at first, but we noticed that it was very memorable (as meme-inspired names tend to be), so we decided to keep it. Don't regret it, yet.
If you're interested in learning more, our docs  explain everything from the ground up.
Thanks for the heads up! I haven't heard of Security Innovation, so definitely going to look more into what happened there.
I think the key difference though, is that we don't do any consulting/training/manual pentesting. We're more of a dev tool company than a security company in that we don't aim to replace security engineers but to make their lives easier.
Java is one of the next 2 languages we plan to support (hopefully in the coming month).
If you send me an email (email@example.com), I can let you know when we launch Java support
Glad you found it useful - it's a topic that comes up a lot when we talk to customers and we figured we should just be upfront about it.
Wasn't our idea though - we stole it from Labelbox  :)
My bad - I accidentally disabled the controls when I was setting it up. Should be fixed now.
Also, yeah, we're not video experts, so we had a feeling the video might not be the correct format. We just wanted to put something up that showcased the platform without forcing you to sign up, but we'll definitely make sure our next video is in a better format.
The nature of fuzzers like AFL is that you get better results by instrumenting your code and writing your own harness, but AFL has a "qemu mode" that runs precompiled binaries in an instrumented VM instead. We'll be adding this to the platform in the near future.
You won't get the same kind of results that you could by writing your own harness, but it would still be possible to find crashes, extreme memory usage or timeout bugs. Using something like libdislocator  would allow you to expose certain memory bugs as well.
Hey - I'm the other guy working on Fuzzbuzz
It's similar to oss-fuzz in terms of functionality, in that it lets you integrate fuzzing into your dev workflow by automatically pulling your latest code, fuzzing in the background, alerting you on bugs, running regression testing, etc.
It differs in that while oss-fuzz is only for select large open-source projects, Fuzzbuzz lets anyone sign up and begin fuzzing their code. We also support more languages - the usual C/C++ as well as Golang, Python and Ruby, with more in the pipeline.