►
From YouTube: Fuzz Testing Group Meeting - 2020-06-23
Description
Weekly Fuzz Testing group meeting
A
So
I've
got
the
first
agenda
item,
so
I
just
wanted
to
share
some
of
the
initial
feedback
we've
gotten
from
sales
in
the
marketing
team.
Now
that
we've
publicly
announced
the
acquisition
we
started
talking
to
the
sales
and
the
field
staff,
you
know
about
what
this
means
a
lot
of
enthusiasm
around
it.
People
seem
really
excited
about
bringing
new
capabilities.
A
New
technology
to
customers,
you'll
most
likely
see
a
lot
of
new
faces
popping
in
the
buzzing
slack
channel,
so
those
are
going
to
be
people
that
have
seen
the
announcements
and
have
questions,
and
it's,
in
my
opinion,
really
great
that
we
are
seeing
the
enthusiasm
we
are
because
you
know
it's
gonna
be
great.
Once
we
have
version
one,
we
can
start
engaging
with
customers
and
giving
it
to
them.
I
think.
B
A
B
C
Tomorrow,
I'm
doing
a
walkthrough
of
PI
test,
Auto
Explorer,
it
was
a
proof-of-concept
plug-in
to
PI
test
I,
wrote
that
and
use
existing
Python
or
PI
test
unit
tests
to
determine
basically
starting
points
for
fuzzing
and
other
exploration
methods
right
and
the
other
ones
in
this
case
being
SMT
solving
but
yeah.
So
this
will
be
a
walkthrough
of
that
proof
of
concept,
and
it
is
something
that
I
am
building
on
and
I
will
be
applying
similar
concepts
to
go
and
Ruby.
C
Oh
I've
got
the
next
one
too,
so
I
have
been
working
on
some
dog
fooding
and
or
getting
that
set
up,
get
lap
runner.
It's
a
go
project
generally,
if
I
understand
or
my
current
understanding
of
github
runner
is
that
it
mm-hmm
it
has
its
own
API
that
it
uses.
That's
how
you
talk
to
it
and
so
I
realize
it
may
work
well
with
API
fuzzing,
as
well
as
coverage
fuzzing
to
fuzz
the
kind
of
inner
aspects
quickly
of
github
runner.
C
We
could
skip
the
API
part
and
jump
straight
to
the
commands
that
it
does
based
off
of
the
requests
it
receives,
but
then
we
could
also
pose
the
API
I
haven't
I,
don't
have
a
proof
of
concept
working
on
that
one
yet,
but
I'm
still
doing
research
and
trying
to
figure
out
the
best
way
to
hook
into
it
and
the
fuzzing
get
ibid
animal
I
started
on
this
one
I'm
further
along
on
it,
because
I
personally
ran
into
an
issue
with
this
and
I
already
had
code
set
up
to
start
testing
it,
but
it
is
working.
C
C
Let's
see
it's
not
expecting
memory,
corruption,
errors,
it
tests,
the
Gama
parsing
for
any
errors
that
aren't
raised
as
a
validation
error
and
that's
what
would
cause
a
500
server
error
and
that's
what
I
had
run
into
a
few
times
and
the
ticket
there
is
for
the
one
that
I've
found
and
it
is
I,
haven't
fully
implemented.
The
grammar
for
get
lab,
see
I
thought
you
animal.
So
it's
not
fuzzing
all
the
features,
but
most
of
it
is
there
and
I'm
going
to
show
here.
It
is
okay.
C
Yeah
I
I
wasn't
sure
what
to
expect-
and
this
is
when
I
ran
into
manually.
So
it
wasn't
a
new
new
one.
I
ran
into
this
just
trying
to
use
get
labs,
yeah
well
and
yeah,
but
it
was
reassuring,
though,
that
the
fuzzer
found
it
and
I
had
it
a
test
case
minimization.
So
we've
got
a
super
minimal
test
case
for
the
team.
D
C
Okay,
yeah
so
D.
Let's
see
I
made
a
ruby
gem
that
loads
mm.
How
do
I
stated
all
right,
so
I
made
a
ruby
gem
that
loads
a
rust
library.
So
it's
got
it's
a
native
Ruby
extension
I'm
that
uses
my
grammar
fuzzing
code.
So
the
grammar
fuzzer
is
something
that
I've
been
doing
for
fun
and
I
wrote
it
in
rust
and
so
I
already
had
it
and
it's
fast
and
so
I
use
it
but
yeah.
So
the
code
that
I've
linked
that
yama
fossa
RB
it
loads.
D
C
C
So
no,
the
GDK
get
lab
development
kit
yeah
once
that's
up
and
running.
If
you
can
run
normal
unit
tests
on
that
project,
then
you
can
run
this.
It
needs
a
database
and
it
needs
a
few
other
things.
So
it's
not
quite
that
complicated
and
you've
run
it
or
it's
not
that
simple
you've
run
it
using
the
rails,
runner
command,
and
that
runs
this
script
within
the
rails
context
with
all
of
the
dependencies
loaded,
yeah.
B
B
B
C
Haven't
set
it
up
to
run
and
get
lab
yet,
and
that's
kind
of
the
next
step
I've
been
working
on
trying
to
boost
performance
a
little
bit
but
really
I'm,
focusing
now
on
just
finishing
the
grammar
making
sure
it's
able
to
generate
gamal.
That
hits
all
the
features
yeah
and
then
I'll
put
it
in
github.
So
I'll
have
like
a
scheduled
jobs
that
runs
on
the
latest,
get
live
every
night
or
something
yeah.
B
Cuz
I
think
from
what
we're
trying
to
do
is
is
figuring
out
how
much
of
this
could
get
codified
into
like
the
CLI
tool
right
or
if
rashes
or
any
of
this
errors
can
get
into
our
JSON
file.
That
can
then
show
up
on
the
dashboard
right
so
that,
ideally,
your
the
code,
that
you're
writing
is
just
minimal
code
and
then
all
the
other
infrastructure
is
what
we
want
get
lab
to
handle
so
that
you
know
you've
got
a
fraction
of
the
amount
of
work
to
actually
implement
this
type
of
thing.
Yeah.
C
And
it's
a
it
is
an
interesting
dogfooding
example
and
I
haven't
touched
it
since
oh
mid
last
week,
besides
pushing
up
the
code
this
morning,
the
well
and
the
reason
for
that
is
I.
Don't
think
that
it's
use
case
fits
in
with
our
MVC,
because
it
is
not
directly
API
fuzzing.
It's
not
the
feedback
or
coverage
driven
fuzzing,
where
we
already
know
how
to
parse
the
output
and
generate
the
JSON
file
like
it's
definitely
useful,
but
it's
not
plug-and-play
from
a
user
perspective.
Yeah.
D
C
D
Yeah
I
mean
it
will
work
just
yeah.
Of
course,
I
mean
we
can
also
implement
do
that
in
the
future.
I
just
think
that
for
the
embassy,
probably
like
a
standard
D
fuzzer
because
I
already
tested
it
with
live
buzzer,
but
later
we
can
also
integrate
it
with
what
this
with
the
grammar
parser.
As
long
as
it's
output
JSON,
it
shouldn't
work
essentially
yeah.
C
B
So
the
next
one
I
had
was
I
know
there
was
some
discussion
on
naming
from
last
week
haven't
caught
up
on
all
the
issues.
Just
one
see
we're
naming
our
variables
and
so
on
and
so
forth,
and
the
repos
based
on
API,
fuzzing
and
coverage
guided
so
I
just
wanted
to
see.
If
there's
any
direction
change
or
whether
would
she
keep
moving
ahead
and
I
think
Sam,
you
said
to
keep
moving
ahead.
B
Doing
it
later,
but
if
we're
good
we'll
keep
it
forward
and
then
the
next
item
you're
getting
I
just
want
to
make
sure
I.
Think
there's
some
discussion
on
slack
about
the
demo
for
the
customer
advisory
board
want
to
see.
If
you
have
any
questions
for
that,
if
you
need
any
additional
information
from
Sam
or
from
anyone
else,
yeah.
D
So
actually
the
demo
is
ready.
I
didn't
record
it
yet
because
I
thought
that
it
might
be
worth
first
going
through
the
demo
live,
so
we
can
get
some
comments
and
then
I'll
do
a
recording.
So
maybe
we
can
do
that
either
now
or
if
we
have
time
or
tomorrow.
We
can
do
that
now.
I
think
if
we
have
time,
but
we
can
also,
let's
see
if
someone
else
has
questions
and
then
we
will
jump
into
the
demo.
Maybe.
C
Exactly
this
is
on
my
radar
too.
It's
something
that
was
it
last
week.
There
was
something
else
that
came
up
where
I
said:
I
could
help
set
up
the
dogfooding
for
API
fuzzing
and
I.
Haven't
synced
up
with
you
yet
Mike,
so
yeah
I'll
do
that
today,
sync
up
and
figure
out
what
we
need
to
do
to
get
that
going.
B
D
B
B
D
D
Let's
try
or
can
I
just
zoom
in
maybe
yeah.
D
D
D
D
Sometimes,
okay,
so
how
it
looks
like
is
that
we
we
have
to
include
a
template
coverage.
We
added
the
new
template
to
the
base,
github
Ruby
back-end.
It's
called
coverage,
fuzzing
gitlab,
and
what
we
need
to
do
in
order
to
essentially
to
run
our
first
tests
in
the
CI
is,
to
add,
add
a
new
stage
first
stage
and
for
each
first
target
we
need
to
create
a
new
first
target
or
first
function.
It's
the
same
thing.
D
So
for
each
step,
we
need
to
create
step
for
that
fast
function
which,
and
it
will
extend
fast,
something
that's
called
fuzz
bass,
and
this
is
essentially
included
in
the
parent
template.
Okay,
we
have
I
already
uploaded
a
handy,
docker
image,
so
we
will
have
handy
docker
images
under
gitlab
cough
as
those
they
want
to
include.
They
want
to
include
any
they
want
to
include
our
CLI.
They
will
just
include
like
our
CLI
will
be
downloaded
and
in
real
time
at
least
for
now,
we
can
discuss
it
later.
D
Usually
it
takes
a
lot
of
steps
to
install
the
fuzzers
like
installing
LLVM
or
installing
lib
father
inside
wiggling,
like
it
takes
a
lot
of
a
lot
of
steps.
So
I
here
I
have
going
with
nofas
already
available
and
in
the
script.
Those
are
standards,
standard
steps
that
you
can
find
in
the
office
documentation,
and
then
we
will
run
the
user
will
have
to
do
to
run
essentially
the
first
target
with
with
this
graphics.
D
B
B
D
The
reason
for
that
is
that
CLI
is,
is
just
one
binary,
one
small
go
binary
and
pushing
like
we
will
have.
Probably
we
will
have
a
lot
of
handy
documents
that
contains
the
likely
father
or
contained
Godfather's,
contains
a
failed
and
creating
all
those
docker
images
every
time
we're
creating
you
and
you
release
just
that
consumes
more
more
more
time
and
the
resources.
But
we
can
do
that
as
well
like
we
can
have
them
yeah.
D
So
here
I
just
pushed
something
to
you
to
master
and
we
have
let's
go
to
this
pipeline
yeah,
so
we
have
a
fuzzy
stage
and
we
have-
and
we
have
this
function
like
this
step.
This
is
a
step
for
our
first
function
and
we
can
see
that
we
can
see
all
the
logs,
of
course,
just
like
in
any
other
step,
and
we
can
see
the
leap,
buzzer
rafa's
and
with
fuzzy
targets
running
here
and
essentially
crashing
finding
the
new
crash.
D
So
currently
all
the
crashes
and
the
test
cases
that
the
father
general
generated
are
can
be
found
and
downloaded
here.
Just
like
I
showed
in
the
previous
demo,
I
also
save
a
copy
of
the
buzzer.
We
can,
we
can
decide
if
you
want
to
keep
it
or
not.
I
thought
it
will
be
good
good
way
to
keep
it
because
then
the
user
will
be
able
to
also
to
reproduce
it
locally.
This
is
the
CLI,
because
we
we
say
like
we
save
everything,
including
the
father.
So
here
are
the
crashes.
D
D
D
There
is
some
more
code
that
I
need
to
add
to
our
CLI
to
categorize
the
civility
correct,
I
didn't
port
it
yet
from
from
posit,
but
but
it
does,
it
does
first,
the
index
out
of
range
like
this
is
the
the
arrow
that
offers
five
finds.
So
we
can
see.
D
It's
called
the
state,
but
essentially
this
is
like
a
stack
trace
without
random
addresses
for
the
crash,
so
the
crash
really
happened
in
here
in
parts
complex
funk.
We
can
also
see
that
see
that
in
the
in
the
logs
yeah,
also,
if
we,
if
we
find
more
like
more
data
like
I,
like
I,
showed
them
the
screenshots
in
the
merge
request,
so
there
will
be
also
address
available
and
I
think
yeah,
address
and
type
and
type
of
the
I
think
there
is
about
here
because
should
also
show
like
index
out
of
range
here.
D
But
for
some
reason
now,
I
say
that
in
thousand
it's
only
showed
shows
it
here
for
some
strange
reason,
but
it
we
also
also
should
see
that
like
vulnerability
type,
which
is
index
out
of
range
yeah.
So
this
is
the
current
merger
quest
we
still
are
not
seeing
like
from.
Probably
it
will
be
in
the
next
merge
request,
because
we
should
also
see
this
here
and
the
security
dashboard
I
guess
because
currently,
in
the
merge
request,
I'm
only
parsing
the
data
from
the
JSON
and
I'm,
not
saving
it
the
database.
D
If
I'm
going
to
configuration,
then
I'll
also
see
there.
Probably
there
is
some
small
bug
here,
but
here
it's
a
this
is
like
the
coverage,
fuzzing
type,
which
is
currently
enabled
and
yeah,
and
but
it's
not
it's
not
showing
in
the
security
dashboard,
because
I
think
it's
not
saving
it
into
the
database.
I
assume.
B
A
Really
the
the
key
point
is:
we
won't
be
able
to
fail
the
pipeline
because
we
don't
want
to
feel
pipelines
because
the
security
in
terms
of
the
actual
job
status
itself,
I,
would
say
we
should
be
consistent
with
what
all
of
our
other
scanners
are
doing.
So,
if
they're
passing
a,
we
can
do
the
same
thing.
B
D
B
D
B
A
A
One
suggestion
for
when
you're
reviewing
the
CI
file
the
amal,
I
would
either
say
speak
to
it
or
add
a
comment
to
describe
what
that
parse
complex
is
in
there
or
review
the
repository
as
part
of
the
demo
walkthrough,
because,
as
an
audience
member,
it
might
not
be
immediately
clear.
That's
the
code
of
the
application
itself,
so
that
would
be
something
that's
good
to
highlight
as
part
of
the
demo
walkthrough
yeah.
D
A
Yeah
and
also
for
the
security
dashboard
for
the
project
for
the
purposes
of
the
demo,
I
mean
I,
think
showing
just
what
you
did
with
the
modal
dialog
is
probably
fine
to
show
like
this
is
the
direction
we're
going
in
because
really
the
the
cab.
This
is
a
preview,
so,
even
if
it's
not
in
the
project
dashboard,
yet
that's,
ok
and
it
can
be
omitted
if
you
want
to
record
it
before
you're
done.
Implementing
that
yeah.
C
I
have
a
couple
questions
and
sure
like
I'm.
Not
let's
see
me
because
I
don't
know,
I
think
I,
don't
know
the
answers,
these
questions,
because
I've
probably
missed
something
and
some
of
the
issues
and
merge
requests
that
are
going
on
yeah,
so
the
crash
state
is
that
always
the
back-trace
I
can't
remember
what
we
add
at
what
field
we
added
to
the
database
like
I
thought
we
I
remember.
We
had
a
discussion
about
specifically
just
calling
a
back
trace
or
stacktrace
yeah.
D
D
Yes,
so
the
fresh
state
is,
is
essentially
back
like
a
back
trace
without
the
randomized
addresses
I
I.
Don't
remember
the
discussion
and
changing
this
name,
but
we
can
change
change
it.
The
database
Samar
I'm,
not
sure
we
will
like
we
will
need
it,
at
least
for
now,
because
everything
fits
quite
quite
good
into
the
current,
like
design
and
architecture
and
database
of
like
the
current
security
parsers
and
features.
C
My
second
I
didn't
have
time
to
I,
didn't
write
it
up
while
we
were
talking.
But
my
second
question
is:
is
there
a
way
to
add
a
hash
of
the
input
somewhere
like
even
in
the
crash
State
just
so
that
you
can
link
that
specific
crash
to
one
of
the
crash
files?
C
C
D
C
D
A
it's
a
good
point:
I
think
we
need
to
to
add
it,
maybe
not
too
dissimilar,
because
this,
mr
is
big
already
and
with
like
front
end
games
and
back
in
teams
and
and
then
once
we
have.
This,
mr
I
think
it
will
be
very
easy
to
to
add
a
new
field
and
it
will
be
reviewed
quickly.
So
I
I,
don't
worry
about.
Where
we'll
be
the
right
place
to
put
this
issue
but
yeah
sure
yeah.
B
B
A
B
C
C
B
One
thing
to
be
careful
of
with
that
is,
if
we
I
think
all
that
data
that
we
see
in
the
modal
will
get
persistent
to
the
database
and
so
any
of
the
data
persisted
to
the
database.
If
you
have
links,
we
just
have
to
be
careful
if
they're
linking
over
to
assets
because
there's
or
artifacts,
because
there's
artifacts
may
expire,
that's
right.
B
F
B
Right
so
I'm
not
sure
if
everyone's
familiar
with
what
commands
talking
about,
and
so,
if
you
go
to
the
security,
dashboard,
you've
got
a
list
of
vulnerabilities
and
then,
when
you
click
on
a
boner
ability
to
take
you
to
a
dedicated
page
for
that
vulnerability,
yeah
I
think
we
have
to
see
where
this
ends
up.
Once
we
get
this
into
the
security
dashboard,
look
I
think
the
next
step
would
be.
B
You
know,
figuring
out
why
how
to
get
this
data
persist
into
the
database,
and
then
it's
just
what
comes
out
of
the
box
with
that
instance
page
likely.
It's
not
gonna
have
any
of
these
fields
that
these
custom
fields
that
we
just
saw,
which
was
a
crash
date
and
I,
think
you
have
one
or
two
other
fields
so.
F
B
A
A
B
A
D
Yeah
I
guess
so
I
mean
we
can
yeah
I,
don't
know
what
I
mean
I,
don't
know
exactly
what
standalone
vulnerabilities,
but
I
mean
I.
Think
I
saw
it
in
some
of
the
discussions
but
yeah.
This
is
why
we
are
not
saying
this
here
and
this.
What
we'll
have
to
add
in
in
the
next
request
and
then
I
think
it
will
be
easier
to
maybe
do
this
to
discuss
what
exactly
we
want
to
do
with
put
the
handle
on
vulnerability.
A
Okay,
if
we
can
go
back
actually
I'm
I'm,
sorry
I
still
don't
understand
the
direct
answer
on
so,
if
we're
talking
about
pulling
the
modal
into
MVC,
which
was
not
in
the
original
requirements,
this
is
in
addition
to
that
download
artifacts
button
that
we
agreed
on
in
the
initial
designs
correct.
This
is
not
a
replacement
of
yeah.
D
A
B
A
B
D
The
only
thing
is
that
so
I
saw
I
saw
the
download
button
that
we
discussed
but
I'm
not
sure
who
should
add
this
button,
because
because
this
is
a
new
functionality,
some
I'm
not
familiar
with
the
front-end
code
base.
I
mean
I,
can
try
and
find
where
to
add
it,
but
I'm,
not
sure
who,
who
should
add
this
modern
and
then
then
we
should
implement
the
backend
somehow
to
download
that
report,
or
maybe
the
report
actually
is
already
rate
available,
so
I
think
it's
only
in
front
and
world
yeah.
C
A
D
B
B
A
D
Not
I
think,
yes,
sorry,
I
also,
don't
think
there
is
any
back
in
there,
but
it's
also
not
in
the
in
the
artifact.
It's
in
some
different
place
for,
like
the
reports
are
stored,
because
here
because
we
are
like
it's
not
an
artifact,
it's
a
report,
every
port
type.
So
we
don't
see
the
report
here,
because
this
is
just
the
artifacts
but
like
there
is
geo
coverage.
Fuzzing
report
up
right.
D
B
A
D
A
That
useful
for
end-users
anyways,
though,
because
they're
gonna
see
all
the
results
in
the
modal
and
they
can
look
at
it,
and
then
they
can
correlate
that
with
the
the
files
the
the
crashes
and
the
corpus
documents,
I
think
are:
what's
gonna
be
more
useful
to
them.
If
we
have
to
pick
one
or
the
other
yeah.
D
B
A
B
F
B
F
F
D
D
E
Seems
like
it's
the
only
information
that
a
user
has
in
front
of
them
to
distinguish
different
between
different
issues
like
if
I
was
sorting
through
a
bunch
of
these
fuzzing
results.
I
feel
like
for
me
would
be
useful
to
see
that
stack
trace,
so
I
can
understand
without
having
to
download
and
then
open
the
download
and
look
at
all
the
information
a
little
bit
of.
What's
going
on.
A
C
F
D
F
A
Yeah
almost
see
this
turning
into,
if
we
want
to
do
this
at
some
point,
the
description
being
more
freeform
text
about
what
the
specific
type
of
fuzzy
result
means.
You
know
if
it's
a
heap
overflow.
That
means
that
we
should
be
pointing
to
malloc
and
calloc
type
calls
and
explaining
that
to
users.
It
wouldn't
necessarily
be
application.
Specific
context
necessarily
I
could
see
it
be
more
as
describing
the
the
type
of
issue
that
fuzzing
found,
because
the
individual
fuzzing
results
themselves
are
going
to
be
so
specific.
E
A
F
F
D
C
D
D
D
D
D
A
D
Yeah,
so
so
it's
mostly
something
we
need
to
do
integrate
because,
like
there
is
support,
we
don't
need
to
build
a
new
father.
We
just
need
to
to
be
able
to
support
the
Lib
father
and
coverage
coverage
data
there
is,
there
is
a
feature
way
of
running
late.
Father
with
you
know,
source
and
debug
enabled
right.
I
have.
C
A
question
about
the
MVC
and
the
schema
is
so
to
me
the
schema
needs
to
cover
both
API
fuzzing
and
coverage
fuzzing.
So
maybe
I'm
misunderstanding
something
about
solidifying.
The
schema
before
the
MVC
is.
Is
that
what
we're
doing,
because
currently
they're
being
developed
separately
and
I'm,
not
sure
what
to
think
about
it?
Does
that
make
sense.