►
From YouTube: Sam coaches Cindy on fuzz testing demos
Description
Fuzz testing
Associated presentation: https://docs.google.com/presentation/d/1YSOvlS-0wmxtdsEky5m3PijslFOLRUzppFJvQhMaFMo/edit#slide=id.ga0dc1640fd_0_1959
A
B
So
this
is
just
the
regular
version.
We've
not
made
any
code
changes
to
it
to
make
it
amenable
for
fuzz
testing,
because
one
of
the
pain
points
people
are
going
to
be
wary
of
is,
if
I
want
to
do
this,
I'm
going
to
have
to
do
custom
development
on
my
source
code
base,
which
you
do
not
have
to
do
with
fuzz
testing,
so
they
could
go
download
this
exact
version
from
the
internet
and
reproduce
our
results
very
easily.
A
B
So
really,
there's
going
to
be
two
steps
in
adding
coverage
grade
fuzz
testing
to
the
project.
The
first
one
is
that
we
have
to
tell
the
fuzzer
how
we
want
to
run
and
fuzz
the
application,
because
the
fuzzer
is
unique
to
our
app
and
it's
going
to
find
business
logic
issues
unique
to
our
app.
We
have
to
give
it
that
extra
context
and
to
do
that
we're
going
to
build
what's
called
a
fuzz
target,
and
that's
in
this
handshake
fuzzer
cc
file.
B
Let's
go
ahead
and
open
this
this
one
up,
so
a
lot
of
this
file
is
boilerplate.
That
would
be
very
familiar
to
an
open,
ssl
developer.
Essentially,
what
we're
doing
here
is
we're
setting
up
the
tests
to
be
able
to
run
successfully
the
way
that
we
interface
with
the
fuzzer.
Is
we
implement
this
one
function?
This
love,
fuzzer
test,
one
input
function
and
what
this
is
doing,
the
fuzz
engine
is
going
to
call
this
over
and
over
and
provide
random
data
every
single
time
it
calls
it
that's
going
to
be
different
each
time.
B
B
The
function
we
actually
want
to
test,
though,
is
this
bio
underscore
write
function,
so
all
we
have
to
do.
There
is
rather
than
provided
a
piece
of
mock
data.
We
just
provided
the
random
data
that
the
fuzzer
is
generating,
and
it's
just
going
to
call
this
over
and
over
and
over
again,
and
that's
all
we
have
to
do.
A
B
The
second
part
is
now
that
we've
written
our
fuzz
target.
We
have
to
tell
gitlab
to
run
it
as
part
of
our
pipeline
on
every
build.
So
for
this
we'll
go
to
the
ci
yaml
file
and
we're
going
to
do
two
things.
A
B
Not
yet
no
it's
something
we're
talking
about,
but
nothing
nothing
today
for
that.
B
So
we're
going
to
first
include
a
coverage
fuzzing
template.
This
is
just
going
to
define
all
the
backend
pieces
that
the
job
needs
to
run
and
then
we're
going
to
define
our
actual
fuzz
testing
job
in
this
case
called
heart
bleed
target,
and
what
we
have
to
do
here
is
we
have
to
actually
build
that
piece
of
fuzz
target
code
that
we
just
wrote
and
that's
what
all
of
these
lines
are
doing.
B
This
is
all
pretty
generic
to
open
ssl
and
it's
going
to
be
different
for
every
single
application.
But
essentially
what
we're
doing
here
is
we're.
Taking
that
fuzz
target
code,
we
had
we're
building
in
such
a
way
that
it
can
call
the
various
functions
that
we
want
to
test,
and
then
the
final
line
of
every
fuzz
target
is
going
to
be
this
one
on
line
25,
where
we
call
gitlab
fuzz
and
that's
the
actual
fuzzer
and
we're
just
going
to
say,
run
and
then
give
it
the
name
of
that
fuzz
target.
A
B
So
once
we've
done
that
we'll
make
a
commit
run
a
pipeline
and
let's
take
a
look
at
the
results
that
we'll
get
so
in
this
case,
you
can
see
I've
run
my
unit
test
as
part
of
my
normal
testing.
The
fuzzer
heartbleed
target
ran,
and
so
we
knows
they
found
something.
So
if
we
go
to
the
security
tab,
we
can
see
that
I
found
one
vulnerability.
B
The
type
we're
also
given
some
information
about
the
function,
names
that
were
in
the
stack
trace
where
the
crash
occurred,
as
well
as
the
actual
full
stack
trace
here-
and
this
is
the
really
detailed
information
from
the
job
log
that
a
developer
would
use
to
figure
out
where
exactly
the
crash
occurred.
B
If
we
scroll
down
here-
and
this
is
the
part
you'll
want
to
highlight
the
demo-
is
this
tls1
process
heartbeat
item?
This
is
where
the
actual
crash
occurred
in
the
code,
and
this
is
where
the
heartbleed
vulnerability
gets
its
name
from,
because
it's
a
vulnerability
in
that
heartbeat
function.
They
called
it
heartbleed.
B
A
B
Yeah
so
where's
an
mr,
we
could
look
at
because,
basically
you
know
how,
when
you
have
an
mri
it'll
say
like
security
results
and
expand.
B
Are
not
put
there
so
so
you.
B
Yeah
one
question
you'll
probably
get
is
that
one
is
someone
will
say
you
know
the
stack
trace
is
great,
but
I
need
more
information
than
this
like
the
inputs
that
caused
it.
Those
are
all
available
in
the
job
itself,
as
artifacts
there's
a
lot
more
info
in
the
job
log.
But
if
you
go
into
the
browse
option
on
the
job
artifacts
area.
B
So
we're
on
the
pipeline
here,
if
we
just
click
on
the
job
name,
it'll
be
on
the
job
artifacts
on
the
right
here
and
so
we'll
just
browse
through
them.
This
is
going
to
have
all
the
really
low
level
information
that
a
developer
might
want
the
corpus
here.
These
are
all
the
test
cases
that
the
fuzzer
tried
and
these
are
going
to
be
what
they
can
use
to
reproduce
the
crash
locally.
B
No,
I'm
sorry,
I
told
you
the
wrong
thing.
The
crashes
directory
is
the
directory.
They
will
use
to
reproduce
the
crash
locally
if
they
want
okay,
so
I
wouldn't
highlight
this
on
the
demo,
but
you
will
likely
get
a
question
about
this
and
that's
where
that
info
is.
A
A
A
couple
questions:
what
if
I
just
skipped
how
to
set
it
up
and
went
straight
to
showing
the
results,
because
to
me
that's
the
most
impactful
part.
B
Yeah
that's
an
option.
I
I
think
it'll
really
come
down
to
the
timing
like
which
parts
you
want
to
really
focus
on,
because
I
mean
I
agree.
I
think
this
is
really
the
like.
Oh
we,
we
found
this
with
very
minimal
configuration.
A
B
Well,
so
that's
the
that
that's
the
thing,
because
we
have
to
emphasize
to
people
that
fuzz
says
it's
easy
to
get
started
with,
because
that's
where
classical
fuzzers
fail
right,
I
feel
like.
If
you
only
show
the
results,
people
will
be
like
yeah,
but
you
probably
have
to
spend
a
week
setting
it
up
right.
So
the
intent
with
the
early
part
of
the
demo
is
to
say
this
is
really
simple.
B
You
know
I
walked
you
through
it
in
a
few
minutes
versus
a
week,
but
that
said,
there
probably
is
a
way
to
go
through
it
more
quickly.
B
A
Okay
and
then
on
the
slide
deck
did
you
have?
Do
you
have
that
duck
candy
yeah
this.
B
A
The
part
with
the
orange
boxes
you
did
that
on
commit.
Didn't
you.
A
B
So
in
this
example,
we
want
to
talk
about
an
a
conceptual
or
a
hypothetical
application.
Let's
say
that
it
takes
a
json
document
as
an
input
processes
it
and
does
some
sort
of
service
like
producing
a
report.
B
A
B
Another
example:
maybe
the
fuzzer
tries
to
provide
an
invalid
customer
id
and
again
we
have
error
checking
in
place.
So
it
doesn't
matter,
but
let's
say
the
fuzzer
finds
one
case
where
it
provides
a
valid
customer
id,
but
doesn't
change
the
auth
token
and
your
app
just
returns
a
report
as
expected.
B
That's
a
major
security
issue,
because
the
auth
token
I
provided
the
fuzzer
provided
was
unique
to
customer
five,
but
it
got
the
results
for
customer
one.
So,
even
in
an
app
that
has
qa
and
testing
in
place,
the
fuzzer
found
an
edge
case
that
wasn't
covered
previously.
A
A
All
right,
so
that
all
makes
sense,
I
may
add
a
slide
in
there
for
peach
and
buzz
it.
I
took
that
out.
I
might
add
it
back
in.
B
I
thought
you
had
one
one
of
the
acquisition
slides.
You
mean,
I
thought
we
had
one
in
here.
A
B
Have
been
time
sinks
that
take
a
little
bit
longer
than
I
expected
so.
A
B
B
Yeah,
so
in
this
one,
the
the
thing
that
takes
the
time
is,
you
have
to
set
the
stage
kind
of
for
like
what
even
is
this
function?
Why
are
we
looking
at
it
and
we
have
to
talk
through
where
we
have
this
parts
complex
function?
That
takes
an
input
we
can
see
in
the
logic,
though,
there's
off
by
one
error,
because
it's
checking
for
seven
letters
here,
but
it's
only
looking
at
a
length
of
a
sixth
string.
B
The
fuzzer
is
what
would
generate
that
sort
of
random
data
and
eventually
find
that
test
case,
and
that
pretty
much
is
the
whole
presentation
of
this
slide
is
redundant
when
you
also
show
a
full
demo
of
the
fuzzer,
so.
A
B
I
I
did
a
dry
run
for
the
cab
with
both
this
slide
and
then
going
into
the
heartbleed
demo,
and
it
was
a
lot
of
time
and
a
lot
of
seeing
the
same
thing.
Okay,
if
that
makes
sense.
That
said,
if
you
don't
do
an
api
fuzzing
demo,
I
think
this
one's
actually
really
good.
B
B
B
and
when
we
provide
a
valid
request,
such
as
the
one
pictured
on
the
bottom
left,
where
we're
saying
the
user
is
dd
first
mic
last
smith,
password
hello,
you
know
we'll
get
a
sorry
yeah
when
we
provide
this
value
request,
we'll
get
a
valid
sort
of
response.
B
But
what
we're
going
to
do
is
give
this
to
the
api
fuzzer
and
it
will
say:
okay.
This
is
a
known
good
type
of
request.
I'm
going
to
take
this
and
I'm
going
to
mutate
it.
So
in
the
top
right
here
we
can
see
the
fuzzer
change,
the
username
from
dd
to
percent
27.,
and
then,
when
we
give
that
to
our
application,
it
responds
very
differently-
and
in
this
case
on
the
bottom
right,
it
actually
crashes.
B
A
B
B
I
find
what
my
autocomplete
wants
to
show,
so
this
is
the
repo
I
added
you
on
to
so
let's
go
to.
B
B
B
B
So
we're
actively
working
on
pulling
this
into
the
security
tab.
The
reason
we
did
it
this
way
is
because
peach
from
the
acquisition
already
had
json
output,
and
this
is
rendered
directly
from
that.
So
there
is
no
or
j
unit
output.
Excuse
me,
so
there
is
no
net
new
development
for
us
to
get
it
in
this
form.
So
now
we're
working
on
the
dev
work,
to
put
it
in
security.
B
B
B
So
like
you
can
look
up
the
cwe
and
the
owass,
it
has
a
human
readable
like
just
telling
you
what
things
are
so
this
is
actually
really
cool.
The
part
you
want
to
highlight,
though,
actually
I
don't
like
this
one,
so
I
would
scroll
to.
Is
this
the
second
or
the
third
one.
B
B
Correct
yeah,
I
would
look
at
the
third
one
in
the
list
because
the
others
require
you
to
dig
a
little
bit
too
deep
for
a
demo
for
it
to
click
with
people.
But
what's
going
to
really
jump
at
people?
Is
this
mutator
part
where
the
fuzzer
saw?
Oh,
you
tried
value
2,
I'm
just
going
to
try
65576
and
see
what
happens,
and
in
this
case
we
have
an
internal
server
error.
B
And
so
then
it's
going
to
give
you
all
the
original
stuff
that
it
recorded
what
it
received
when
it
you
know,
got
that
back
as
well
as
a
bunch
of
other
information
that
the
devs
could
go
ahead
and
you
know
figure
out
what
went
wrong.
A
Okay,
yeah
very
cool
yeah.
I
can
show
that
okay,
but
this
does
a
good
setup
of
what
it
is
they're
going
to
see.
If
I
can
keep
it
real,
close
and
short.
B
Yeah,
I
think
the
other
one.
You
have
to
caveat
it
so
much
because
it's
not
in
the
security
tab
and
it's
kind
of
a
different
workflow
and
different
screens
like
the
coverage.
Fuzzing
is
solid.
I
think
this
diagram
gets
the
concept
across
and
hopefully
entices
them
to.
Let's
talk
after
the
conference
kind
of
thing.
A
No
okay,
well,
hopefully
the
q.
A
is
easy,
we'll
see!
That's
the
part
that
scares
me.
They
ask
too
many
questions.
A
A
B
If
you've
not
seen
this
document
in
a
while
this
fuzz
session
faq
that
we
did
a
while
back,
this
might
be
worth
a
read
for
some
of
the
sorts
of
questions.
You'll
get.
B
B
When
is
the
the
presentation
I'll
do
some
other
thinking?
If
I
can
think
of
any
other
questions,
you
might
get.
B
A
Yeah
but
the
session
is
the
20s
it's
tuesday
next
tuesday,
so
the
q,
a
with
the
live
q,
a
is
next
tuesday.
A
A
That
might
be
good,
just
as
my
savior.
A
I'll
ask
joe
to
he's
using
some
weird
meeting
thing
that
I've
never
encountered
before,
but
it
was
super
simple,
but
he'll
probably
have
to
send
you
a
link
for
that
yeah.
Okay,
cool!
Well!
Thank
you
very
much.
What
I'll
do
is,
after
I
record
it
I'll,
send
it
to
you
and
so
that
you
know
what
what
I
said,
what
we're
covering
yeah
yeah
all
right!
Well,
hey!
Thank
you
again.
I
really
really
appreciate
your
help.