►
From YouTube: 2020.06.29 - Brown Bag: Dogfooding: Fuzzing GitLab-Runner and the .gitlab-ci.yml Parser
Description
This is a BrownBag session (https://gitlab.com/gitlab-org/secure/brown-bag-sessions/-/issues/29) on setting up fuzzing on gitlab-runner and the .gitlab-ci.yml parser found in GitLab
A
So
this
brown
is
a
brown
bag
about
dogfooding
fuzzing
concepts
with
get
live
runner
and
get
lab
CID,
animal
and
I'm
actually
really
glad
yevgenii
was
able
to
make
it
because
this
uses.
The
intention
with
this
is
to
use
the
MVC
fuzzing
that
he
is
working
on
right
now
on
our
own
products
and
that's
the
dogfooding
part
of
this
alright
and
share
my
screen
here.
Oh.
A
I
thought
I
knew
where
it
was.
This
happens
to
me
every
single
time
you
present
alright,
so
my
name
is
James.
Johnson
I
am
on
the
vulnerability
research
team,
and
today
we
will
be
talking
about
fuzzing
theory
and
how
I
went
about
dogfooding.
Some
of
the
MVC
work,
that's
going
on
with
coverage
base
fuzzing
with
get
lab
runner
and
additionally,
how
I
set
up
fuzzing
for
Gil
MCI,
diamo
parsing.
A
So
the
theory
aspect
will
be
very
high-level
I'm
not
going
into
super
detail.
But
generally,
whenever
someone
sets
up
a
fuzzing
campaign
is
what
some
people
call
it.
If
you
want
to
fuzz
something
you
have
to
identify.
First,
the
attack
surface
or
the
entry
point,
and
then
how
you're
gonna
generate
data,
and
then
you
send
it
to
the
target
program
and
you
monitor
for
unexpected
behavior.
Now
this
is
a
very
general
approach
and
it
is
not
necessarily
security
related.
A
So
on
this,
in
a
simple
case,
you
will
have
a
target
that
accepts
binary
data
and
processes.
The
data
that
is
the
simplest
to
work
with
as
far
as
fuzzing
goes
and
test
cases
or
target
program,
may
look
something
as
simple
as
this.
They
could
be
a
library
that
parses
data,
I,
don't
say
like
ffmpeg
or
an
image,
parsing
library,
or
something
that
works
with
fonts.
It's
very
straightforward,
you
send
a
data
and
it
does
something
with
it.
A
A
However,
that
is
not
always
the
case.
What,
if
a
target
talks
through
a
remote
server
via
REST
API,
or
it's
got
some
custom
authentication
going
on
and
there's
no
raw
blobs
of
parsing
that
are
happening
within
the
target.
Targets
can
be
very
complicated
and
it
makes
it
hard
to
really
know
where
to
start.
If
you
want
to
fuzz
that
target.
A
So
to
me,
this
is
the
main
solution.
It's
how
I
always
view
it
you
need
to
break
it
up
individually
and
target
perform
targeted
fuzzing.
You
pick
a
single
aspect
of
the
complex
target
and
you
fuzz
that
intensely
so
for
each
of
these
different
examples
that
I
had
on
the
previous
slide
say
you
could
fuzz
specifically
how
it
talks
to
the
remote
server
or
how
it
parses
JSON
requests,
or
maybe
you
look
at
the
state
machine
of
the
target
as
its
operating
on
things
so
that
way,
you'd
have
to
set
up
your
fuzzer
differently.
A
It's
not
so
much
data
that
you
are
fuzzing,
but
more
sequences
of
actions
and
the
values
within
the
data.
So
if
you
are
fuzzing
the
JSON
data,
you
may
want
to
have
actual,
well-structured
JSON
values
instead
of
just
raw
data
itself,
but
there
is
a
problem
here.
It
is
this
sounds
very
simple,
but
you
can
kind
of
go
down
rabbit
holes
you
weren't
expecting
and
it's
something
to
be
aware
of
as
you
go
about
fuzzing.
A
You
may
just
be
fuzzing
that
instead
of
your
code
itself-
and
the
same
goes
for
JSON
and
llamó
parsing,
if
you
aren't
aware
of
exactly
how
your
fuzzer
is
working,
you
may
just
be
fuzzing
the
libraries
that
your
code
uses
instead
of
the
logic
within
your
code,
so
targeted
fuzzing
is
always
much
more
effective
than
a
one-size-fits-all
solution,
although
that
100%
definitely
has
its
place
for
a
lot
of
cases,
especially
when
it's
just
accepting
raw
data,
and
you
can
send
its
own,
send
it
on
its
way
if
it
gets
a
bit
more
involved
in
that,
you
need
to
know
about
what
your
fuzzing,
you
need
to
know
what
it's
expecting,
so
that
it
doesn't
the
actions
you're
trying
to
perform
on
the
target
aren't
thrown
out
immediately
before
I
move
on.
A
Cool
so
I'll
move
on.
Does
let's
move
on
to
dog
food
and
get
my
brunner?
So,
let's
think
about
it.
It's
get
lap
runner
a
simple
case
and
what
functionality
does
it
have
at?
First,
when
I
was
thinking
of
fuzzing
get
live
runner
and
it
wasn't
just
me
thinking
about
it.
It's
something
that
we
had
talked
about
working
with
you
of
Jenny
and
trying
to
identify
targets
within
or
projects
within
Gibbs
code
base.
That
would
be
ideal
for
dog
fooding.
The
fuzzing
features
being
developed,
but
it
lab
Runner
is
not
that
simple.
A
Some
in
some
aspects
it
is,
but
it
does
talk
to
a
remote
server
uses
authentication
talks
to
the
arrest
API.
It
does
a
lot
of
different
things.
I
would
say
it's
definitely
not
the
simple
case
to
me,
some
of
the
more
interesting
things
that
it
does
are
dealing
with
the
artifacts.
It's
got
some
interesting
logic
and
how
it
processes
artifact
zips
from
other
jobs
within
the
stage
or
I
guess
just
other
jobs
and
as
well
as
the
way
it
handles
the
cash
it
does.
Do
some
yeah,
Mille,
parsing
I.
A
Don't
think
that's
really
so
much
the
default
case
and
then
a
lot
of
github
setups
by
the
time
the
yamo
or
the
json
data
gets
to
get
live
runner.
It's
already
been
validated
and
should
be
very
well
forms
because
it's
gone
through
get
lab
even
to
get
to
the
state
where
get
lie,
Brunner
uses
it,
and
then
it
runs
code
and
various
types
of
executors,
a
docker
direct
shell.
A
It
won't
spin
things
up
in
kubernetes,
so
it
is
a
little
overwhelming
thinking
about
okay,
which
how
am
I
going
to
fuzz
this
and
which
aspects
am
I
going
to
fuzz.
But
if
we
wanted
to
fuzz
how
it
spins
up
docker
containers
up
for
one
thing
that
would
not
be
very
fast
at
all,
it
would
be
extremely
slow
during
fuzzing.
Speed
is
important
if
you
can
only
do
one
iteration
per
second,
you
and
your
fuzzing
job
and
runs
for
an
hour.
A
You'll
only
be
able
to
do
3,600
test
cases
in
an
hour,
so
you
do
want
to
sort
of
have
in
mind
what
you
the
performance
aspect
of
it
and
what
the
impact
is
on
fuzzing.
A
A
It
is
a
distinct
feature
within
get
lab
Runner,
and
one
of
the
major
cons,
though,
is
that
you
might
be
fuzzing
the
go
Lengyel
parser
itself,
and
we
already
talked
about
that
and
I
will
definitely
circle
back
to
that
again
at
the
end
of
this
presentation,
alright,
so
moving
on
to
dog
fooding,
since
we
are
dog
fooding,
I
this
effort
was
largely
based
on
trying
to
use
the
existing
gitlab
features
or
the
features
being
developed
right
now,
and
this
is
a
link
to
a
demo
project
that
you
have
Jenny
put
together
and
it
uses
the
sample.
A
A
Let's
go
back
here:
alright
and
the
coverage
guide
in
fuzzing
features
being
developed,
support,
go
fuzzy
with
go,
fuzz,
go
fuzz,
compiles
the
go
binary
in
a
way
that
it'll
work
with
lib
buzzer,
so
you
can
compile
it
to
a
static
library
and
then
link
it
with
Lib
buzzer
using
clang,
and
so
you
don't
define
a
main
function,
what
you
define
as
a
fuzz
function,
and
then
that
is
what
goes
into
the
static
library.
When
you
do
the
linking
was
clang.
Lib
buzzer
itself
defines
the
main
function.
That
then
calls
your
fuzz
function.
A
That
is
in
your
test.
Harness
and
here
is
the
go
code
that
I
use
to
directly
test
the
llamó
parsing
inside
of
get
lab
runner
and
the
fuzz
function
here
is
at
the
bottom,
and
it
just
calls
this
parse
camel
function
and
yeah
I
took
most
of
this
code
directly
from
unit
tests.
I
think
unit
tests
are
a
fantastic
way
to
see
how
code
components
within
a
project
are
directly
run
and
tested,
and
it's
a
very
good
way
to
build
on
top
of,
or
it's
a
good
approach
to
create
the
fuzzing
harnesses
by
building.
A
All
right-
and
so
this
yam
well
here
is
the
animal
that
was.
This
is
the
way
it's
planned
and
you
have
Jenny
if
I'm,
if
something's
wrong
about
this-
and
it's
maybe
changed
a
little
bit.
Let
me
know
but
I'm
pretty
sure
this
is
about.
What's
planned,
it
was
what
was
in
the
demo
project.
A
I
did
have
to
change
it
slightly,
so
the
script
section
I
needed
to
make
it
use
a
very
specific
go
version,
go
I.
Think
in
the
image
that
is
used
here,
that
you
got
this
one.
It's
go
version
112,
but
forget
vibe
runner,
it
needs
to
be
go
113
and
then
the
other
thing
that
needs
to
be
changed
go
fuzz
needs
to
be
rebuilt
for
go
113
and
there
was
also
a
problem
using
go
G
ofes
when
there
wasn't
a
previous
job.
A
That
was
wrong
and
I
may
have
set
something
up
incorrectly,
but
this
is
all
why
we
do
dogfooding
figure
things
out
and
figure
out
how
easy
it
is
to
use
the
product
and
shake
out
bugs
so
created
two
issues
on
those
and
so
I
say
that's
successful
dogfooding.
We
were
able
to
shake
out
a
few
issues
and
I'm
going
to
show
you
now
that
we
are
actually
running
fuzzing.
A
A
A
Alright,
let's
go
back
to
here
and
talk
about
exactly
what
it's
doing,
though
mm-hmm
this
is
the
type
of
data
that
was
generated
using
the
fuzzing
harness
that
I
made
and
I
did
call
this
out
that
we
may
just
be
fuzzing
the
llamó
parser
itself
inside
of
going
because
I'm
not
making
the
Gamal
well-formed.
It
is
not
structured,
and
this
is
what
the
fuzzer
come
up
with
now.
The
fuzzer
is
a
coverage
or
feedback
driven
fuzzer,
a
mostly
uses
code
coverage
to
determine
if
new
code
paths
should
be
for
were
followed
by
a
certain
input.
A
Admittedly,
I've
not
let
this
run
for
a
long
time
and
I
do
most
of
the
exercise
was
around
using
the
features
that
are
being
developed
as
part
of
the
coverage
base.
Fuzzing
MVC,
but
I
haven't
found
any
bugs
on
it
yet
and
that's
about
what
I
expected
actually
for
this
scenario,
some
of
the
other
scenarios
that
I
wanted
to
fuzz
but
I
didn't
have
time
to
put
them
together,
for
this
slide
is
I.
Think
I
didn't
call
it
out.
No
I
did
so
parsing.
The
animal
data
was
an
easy
one.
A
There's
some
kind
of
weird
logic
there
and
I've
noticed
that,
if
you
add
no
bytes
into
a
string
and
some
of
the
built-in
go
file
path
functions
when
you're
determining
the
relative
file
path,
and
you
have
a
null
byte
in
one
of
the
strings,
it
doesn't
behave.
The
way
I
thought
it
would,
and
so
that
would
be
something
that
I
would
want
to
fuzz
as
well,
specifically
the
file
names
inside
of
a
zip
file,
so
again
targeted
fuzzing
right
and
the
cash.
That's
also
the
same
thing.
A
You
can
special
specify
a
key
for
the
cash
that's
used
by
the
job,
and
there
are
specific
checks
that
happen
there,
also
with
relative
paths
and
that
logic,
if
something's
wrong,
might
allow
you
to
mm-hmm
impact
jobs
being
run
on
from
different
projects.
It
depends
on
the
executor
being
used
for
in
that
job,
though,
so
those
are
other
things
that
I
would
be
looking
at.
B
A
A
I
took
some
of
the
valid
test,
yeah
Mel
from
the
test
cases
and
added
them
into
this
yeah
Mel
corpus
seeds
directory
so
I
see
the
corpus
of
inputs
that
the
fuzzer
uses
with
actual
data
from
the
test
cases,
because
I
didn't
I
didn't
set
up
the
fuzzer
to
generate
raw
or
valid
yeah
Mel
from
scratch,
and
so
that's
I
think
that's
why
it
has
a
kind
of
vaguely
familiar
shape
to
it,
instead
of
being
absolutely
totally
random.
A
A
All
right
so
things
that
I
want
to
do
to
improve
on
it.
So
one
of
the
focuses
was
to
use
the
product,
use
the
code
being
developed
and
shake
out
usage
bugs,
but
we
do
want
to
actually
photos
get
live
runner
and
make
it
more
stable
and
more
secure.
A
So
now
that
things
are
set
up
in
place,
we
have
a
fuzzing
jobs
that
builds
a
target
and
runs
it
and
generates
crashes.
If
it
finds
any
uses
a
corpus,
then
we
should
be
adding
new
targets
and
possibly
generating
ballad-y
amyl
data
like
the
zip
and
file
names
thing
was
very
interesting
to
me.
The
network
data,
its
I,
don't
know
it's
I'm
on
the
fence
about.
If
we
I'm
on
the
fence
about
fuzzing
the
JSON
REST
API
that
get
WebRunner
uses
the
attack
scenario,
there
is
I,
don't
know
if
it's
really
there.
A
Maybe
it
is.
If
somebody
could
impersonate
get
lab
itself
like
the
runners
trying
to
talk
to,
then
it
would
be
valid.
It
sounds
like
a
very
slim
thing
to
me.
So
again,
I
would
also
go
back
to
the
get
LeBaron
our
code
base
and
try
and
figure
out
understand
it
a
bit
better.
There's
a
lot
in
get
lab
Runner
and
it
does
a
lot
of
things.
It
has
a
long
history,
so
I'm
sure
there's
other
interesting
things
in
there
as
well.
A
C
Not
the
question
but
yeah.
C
Note
so
allah
thanks
for
opening
the
issues,
so
I'll
add
more
handy,
handy,
docker
files,
because
currently
there
is
only
one
handy
doctor,
sorry
dr.
image
and
then
I'll
also
take
care
of
why
jail
fuzz
was
not
available.
I
think
maybe
because
I
changed
the
name.
It's
not
like.
There
is
the
golf
a
thing.
The
example
still
doesn't
work
because
it's
only
up
to
date
on
my
computer,
some
of
them
ours
are
not
merged
and
I.
Think.
Maybe
it's
because
we
changed
the
name
to
get
lockup
fuzz.
So.
A
Here
we
go
it
downloaded
geo,
fuzz,
oh
okay,
and
so
it's
probably
probably
downloaded
and
old
geo
fuzz
binary
and
not
a
new
one.
Yeah.
A
C
A
Yeah
well
and
on
the
flip
side
as
well,
I
probably
made
a
mistake
setting
it
up.
I've,
never
used
it
before
myself.
Right
I've
played
with
the
examples
that
you
have
set
up,
but
setting
it
up
from
scratch.
There's
probably
a
high
chance
that
I
set
something
up
wrong
so
take
with
a
grain
of
salt
I
made.
A
A
A
This
up
was
just
understanding,
get
lab
runner
and
what
should
actually
be
targeted
and
I
ended
up
settling
on
the
Amal
parser,
because
I
knew
where
it
was
I
knew
how
to
there
was
a
very
clear
path
to
set
it
up
and
I
wanted
to
just
start
using
the
MVC
features
that
you
would
develop
Jennie,
but
I
did
find
myself
kind
of
getting
lost
and
just
reading
all
of
get
WebRunner
trying
to
understand
the
different
aspects
of
it
instead
of
just
taking
one
and
implementing
something.
B
C
B
There's
a
two
issues
you
opened,
which
are
things
that
we
can
help
out
on
kind
of
the
architecture
side,
but
there's
a
certain
level
of
work
that
has
to
be
done
that
there's
I
I
guess
what
I'm
saying
is
I,
don't
know
if
there's
any
ways
that
we
can
help
out
on
what
you
had
to
do
on
the
gitlab
runner
side.
Well,.
A
And
mm-hmm
the
unit
test
I
did
end
up
just
going
back
to
the
unit
test
and
trying
to
see
if
there
were
good
unit
tests
that
demonstrated
how
different
aspects
were
leveraged
so
I.
Ideally,
I
was
trying
to
find
a
high
level
entry
point
to
get
lab
runner.
That
would
let
me
hit
a
lot
of
the
features
inside
of
get
lever,
honor
right,
but
there's
a
lot
of
things
you
would
have
to
do
for
that
to
even
happen.
If
I
found
that
entry
point
right,
so
it's
there's
the
state
of
get.
A
My
runner
itself
have
to
generate
valid
JSON,
that's
well
form
and
everything
that
it's
expecting
so
it
gets
increasingly
complicated
the
higher
level
you
want
to
go,
but
the
unit
the
test
found
in
the
project
were
a
really
good
starting
place,
at
least
for
me,
to
get
this
up
and
off
the
ground.
Yeah.
C
I
think
I
think
so.
I
think
it's
a
really
really
good
dogfooding
for
a
very,
very
basic
case,
I'm,
not
sure
if
like
we
can
do,
at
least
in
in
that
case,
something
to
help
out
with
because
I
think
it's
more
of
a
kind
of
design.
Question
because,
like
you
need
to
understand,
I
mean
given
bran
ERISA
is,
is
a
okay
place
to
do
dot
footing
inside
Kaitlyn,
but
it's
not
like
it's
not
the
best.
C
If
there
is
a
go
like
go
project
that
the
attack
vector
is
very
easily
I
mean
very
easily
understand
the
attack
fracture
on
the
on
the
specified,
give
the
project,
and
you
understand
okay,
so
yeah.
This
is
the
entry
point.
Any
unauthenticated
user
is
controlling
this
input
and
obviously
we
should
parse
this
input
and
get
LeBron
er
it's
much
more
complex
and
you
know
from
I
mean
I
need
to
look
very
easy,
I'm,
not
very
familiar
with
LeBron
er,
but
I
need
to
take
a
much
deeper
look
to
understand.
C
A
Yeah,
that's
what
I
was
running
into
is
it's
not.
It
is
hidden
behind
a
few
layers
already
right.
It's
not
something
you
have
very
direct
access
to
I,
think
even
when
you
are
in
a
doctrine
container
that
was
fond,
I
get
WebRunner
I'm,
not
even
sure.
If
you
could
talk
to
it,
then,
but
it's
a
let's
see,
at
least
with
this.
My
understanding
of
the
intention
behind
this
dogfooding
was
to
find
a
github
go
project
to
fuzz,
using
the
go
fuzz
that
yourself,
your
features
that
you've
been
working
on.
A
C
No
projects
is
also
fine,
I,
just
I'm
not
super
familiar
with
the
design
of
get
loadrunner.
So
so,
like
the
idea
that
we
talk
and
in
some
of
the
conversations
here
is
like,
if
we
eventually
user
would
be
able
to.
Let's.
C
Code
because
it's
more
of
maybe
a
logic,
bug
or
but
just
crash,
a
Gatling
runner
and
let's
say,
perform
a
denial
of
service
on
the
shirt
shows
drawner
on
github.com
yeah
so
like
what
is
the
input
that
is
being
parsed
by
I,
get
LeBron
ur
in
that
area,
because
make
me
maybe
just
you
know,
maybe
just
some
kind
of
cue
or
an
event
which
the
user
that
like
lizard,
doesn't
have
any
any
control
on
this
input.
Yeah
so
I'm
not
sure,
like
it's
a
good
enough
Dec
factor.
C
A
A
And
it's
a
so
I.
Actually,
there
was
another
reason
why
I
liked
using
github
Runner
because
it
did
have
it-
did
work
with
similar
concepts
as
the
next
part
of
the
what
I'm
going
to
talk
about
and
that's
fuzzing,
the
gitlab
CI
llamo
parser,
and
that
is
kind
of
a
one-off,
but
it
it
covers
the
same
topics
that
we
have
talked
about
already
and
except
from
a
different
perspective.
A
You
alright,
so
this
was
something
that
I
had
run
into
personally
a
few
weeks
ago
with
some
yeah
Mille
data
that
I
was
trying
to
use
on
a
project,
but
I
was
getting
500
errors
and
it
was
really
odd
to
me
that
I
wasn't
getting
validation
errors.
It
wasn't
telling
me
what
was
wrong
and
so
I
thought.
Okay,
there's
a
lot
of
or
gamal
data,
and
this
structure
of
data
is
used
all
over
gitlab
and
again
also
directly
and
get
lab
runner.
So
maybe
I
could
use.
A
A
They
don't
instrument
a
program,
but
they
generate
the
data
based
on
a
grammar
and
Rhys
manic
does
that
it
is
rough
space
I've
made
it
to
be
as
fast
as
possible,
and
so
I
wrote
a
ruby
gem
that
wraps
my
grammar
for
get
web
CI,
yeah
Mille
and
then
exposes
the
Russ
library
via
FFI
and
then
also
minimizes
test
cases
that
it
finds
as
your
as
you
work
more
with
buzzers.
A
If
you
have
test
cases
that
are
minimized,
your
life
is
so
much
easier
because
you
don't
have
to
spend
forever
trying
to
figure
out
what
exactly
in
the
test
case
causes
the
problem.
Sometimes
it's
very
obvious,
but
a
lot
of
times
it's
not
and
for
this
topic
of
conversation
about
fuzzing
get
web
CI
e
animal
parser
found
in
get
lab
I'm
not
going
to
go
into
too
much
detail
aside
from
talking
about
the
code
and
just
talking
about
it
as
we
go
through
it.
So
this
is
how
you
can.
A
A
What's
what
is
it
I'm
playing
on
the
name
that
there's
a
rails
function
that
you
can
use
to
call
a
standalone
script
and
the
context
of
the
rails?
Application?
If
you
don't
do,
if
you
don't
use
it
that
way,
then
you
have
to
have
I
got
up
to
20
separate
requires
just
to
try
and
get
all
of
the
includes
correct,
and
it
was
a
major
pain
but
yeah.
A
So
fuzz
once
is
very
simple:
it
just
Parsa,
see
animal
and
if
it
returns
raises
of
validation,
air
I
don't
care
about
it,
but
if
it
reaches
a
any
other
type
of
error,
I
want
to
know
about
it.
So
here
it's.
This
is
what
most
fuzzing
main
loops
generally
look
like.
There's
a
loop
and
you
call
a
function
to
do
one
iteration
of
fuzzing,
and
then
you
handle
any
errors
that
you
see.
Additional
features
you
might
see
in
fuzzing
code
might
be
something
like
code
coverage
managing
the
corpus
that
type
of
thing.
A
Generally,
though,
they
are
pretty
simple,
so
this
one
does
1
billion
iterations,
usually
I,
just
control,
see
it
when
I'm
done
as
I
was
developing
this,
since
this
is
not
in
a
job
or
pipeline
that
doesn't
really
matter
so
much.
But
here
this
is
the
ruby
gem
that
uses
the
rust
library
via
FFI
or
exposes
it
via
FFI,
and
in
that
rust
library
is
where
the
grammar
is
defined.
A
It
is
roughly
valid,
there's
additional
logic
that
happens
when
parson
is
performed
to
make
sure
like
if
you're
referencing,
a
job
or-
let's
see-
let's
say
you
have
a
trigger-
that's
supposed
to
trigger
a
pipeline
on
a
different
job.
The
parsing
will
validate
that.
That
section
is
valid,
so
this
doesn't
handle
things
like
that.
A
Just
the
structure
of
the
yamo
data
should
be
correct,
and
this
is
actually
the
animal
data
that
causes
a
500
server
error
on
get
lab,
calm
right
now
and
test
I
have
a
minimizer
that
minimizes
this
down
to
this
on
the
right
and
minimizer's
are
super
fun
to
implement.
It
does
a
binary
search
through
the
data
and
removes
chunks
at
a
time.
If
you
remove
the
chunk
and
it
still
crashes
the
same
way,
then
you
didn't
need
it,
and
then
you
continue
on
binary,
searching
through
the
data,
removing
things
or
keeping
them.
As
you
continue.
A
So
it
does
two
passes
it
splits
on
new
lines
and
reduces
the
data
that
way,
and
then
once
it's
reduced
that
by
splitting
on
new
lines,
then
it
iterates
through
every
byte
or
binary
searches
through
every
byte,
in
the
file
to
reduce
it
even
more
but
yeah
and
the
job
specifically
is
or
the
air
specifically
happens.
If
you
have
a
needs
field
and
a
dependency
field
and
the
same
job
yeah,
then
you
get
the
exception.
I
keep
running
into
any
questions
on
that
before
I
move
on.
D
A
Is
exhaustive?
So
whatever
is
two
ends,
so
it
is
generic.
It
operates
on
a
list
of
items
and
you're
all
just
pop
the
code.
It
is.
A
A
Those
won't
be
split
up
anymore
and
then
this
collection
of
items,
it
binary
searches
through
the
collection
of
items
for
moving
blocks
of
items
and
testing
to
see
if
it
still
crashes
and
that's
what
happens
here
so
you
it's
split
into
a
before
and
then
the
chunk
being
tested
and
then
after,
if
the
before
and
after
concatenated
together,
it's
like
right
here
actually
is
this
big
enough?
Make
it
a
little
bigger
all
right?
A
So
if
this
is
valid
just
the
before
and
after
then
that
means
you
didn't
need
the
chunk
of
data
that
you're
checking
right
and
then
you
just
return
blank,
meaning
the
data
I'm
checking.
We
don't
need
it
right,
and
but
if
you
do
need
it,
then
you
have
to
split
the
before
or
it
not
the
before
the
chunk,
you're
checking
into
its
own
before
and
after
and
then
check
each
of
them.
A
So
it's
recursive
and
binary
search
isn't
like
it
uses
binary
search
concepts,
but
it's
not
quite
the
same
as
trying
to
find
something
within
data
you're
trying
to
remove
things,
but
you
do
have
to
check
to
confirm
that
you
need
an
item
inside
of
the
collection
when
you
split
it,
so
you
split
it.
You
have
a
collection
of
items
to
confirm
that
you
absolutely
need
one
of
them.
You
have
to
reduce
it
down
to
just
a
single
item
and
remove
it
and
see
if
you
need
it
or
not.
A
D
It
makes
a
little
sense.
I
was
just
wondering
if,
if
you
have
like
the
only
two
structure,
let's
say
you
would
like
only
take
two
rules
without
the
actual
terminals
within
siteís.
This
example
that
you
have
here
would
this
would
be
a
actually
cool
to
use
as
a
template
for
generating
like
instances
like
multiple
instances.
A
A
So
the
fitness
function
means
I,
explored
new
code
paths,
I
made
progress
within
the
binary
or
target
that
I'm
exploring,
and
so
you
take
an
input
from
the
corpus
and
you
either
do
a
crossover
and
you
merge
it
with
an
existing
input,
which
is
what
you're
talking
about
and
then
use
that
for
testing
or
you
mutate,
a
single
one,
and
if
the
fitness
function
says
that
new
input
cause
progress,
whatever
your
feedback
mechanism
is
for
that,
then
you
add
it
back
into
the
corpus,
and
so
it
is
a
long
series
of
random
mute,
either
mutating
or
crossing
over
with
existing
inputs.
A
A
Okay,
so
this
is
no
I'm
in
the
header
file
anyways
there.
It's
that
logic
that
I
just
explained
yeah!
Oh-
and
this
is
it
right
here.
So
this
is
the
main
mutation
function
for
a
lib
Buzzard,
which
is
what
is
being
used
on
the
first
example
fuzzing
the
llamo
on
and
get
lab
runner.
So
it
performs
random
mutations
and
the
crossover
is
one
type
of
mutation.
It
will
take
two
inputs
and
merge
them
together.
A
And
yeah
that
is
I,
don't
think,
there's
anything
else
left
aside
from
this.
It
did
take
a
fair
amount
of
effort
to
create
the
llamo
structure
and
it's
not
even
finished
yet.
So
this
is
the
animal
data.
There
is
no
json
schema
that
we
have
for
the
get
web
CI
y
amal,
which
would
have
made
this
whole
process
a
ton
easier.
A
I
could
have
wrote
code
to
just
use
the
schema
as
the
grammar
and
generate
data
directly
from
that,
but
since
we
don't
have
that,
I
had
to
go
through
the
get
lab,
CI
documentation
and
write
the
grammar
manually,
so
targeted
fuzzing
is
much
more
effective,
but
it
is.
It
takes
effort
to
set
up
and
that's
about
the
end
of
this
presentation.