Lmst
Login
Alexey Vishnyakov

PhD, Senior DevSecOps Engineer at Yandex Cloud, ex ISP RAS

Alexey VishnyakovVishnyaSweet@infosec.exchange
2025-07-01

I'm happy to announce the release of a new open-source library we've been working on: Go library for structure-aware fuzzing, designed as an analogue to libprotobuf-mutator. Fuzz your gRPC APIs and integrate into SSDLC.

github.com/yandex-cloud/go-pro

#fuzzing #go #grpc #ssdlc

Alexey VishnyakovVishnyaSweet@infosec.exchange
2023-12-12

Discovering 12 new integer truncation #bugs (and generating PoC seeds) in LibTIFF, libpcap, nDPI, unbound, FreeImage with dynamic symbolic execution. arxiv.org/abs/2312.06425

Alexey Vishnyakov boosted:
Andrey Fedotovanfedotoff@infosec.exchange
2023-09-16

My talk about #casr at OFFZONE 2023!!!
Slides:
offzone.moscow/upload/iblock/f
Video (in Russian):
youtu.be/EgEeICZQD9M

#fuzzing

Alexey Vishnyakov boosted:
Andrey Fedotovanfedotoff@infosec.exchange
2023-07-19

CASR 2.7.0 is available!
github.com/ispras/casr/release

Alexey VishnyakovVishnyaSweet@infosec.exchange
2023-07-13

Simply deduplicate and create reports for #UndefinedBehaviorSanitizer warnings with Casr: casr-ubsan -i corpus -o out -- /fuzz_target @@

github.com/ispras/casr/blob/ma

#casr #defectdojo #vulnerabilitymanagement #VulnerabilityAssesment #AppSec #DevSecOps
Image

Alexey VishnyakovVishnyaSweet@infosec.exchange
2023-06-08

casr-dojo: upload new and unique #crash reports found by #fuzzing to DefectDojo vulnerability management system: github.com/ispras/casr/blob/ma

#casr #defectdojo #vulnerabilitymanagement #VulnerabilityAssesment #AppSec #DevSecOps #cpp #rust #go #python

Alexey Vishnyakov boosted:
Andrey Fedotovanfedotoff@infosec.exchange
2023-05-16

github.com/ispras/casr/release
#casr 2.6.0, what's new:
casr-libfuzzer tool for triaging crashes found by libFuzzer based fuzzers (C/C++/go-fuzz/Atheris)
kodama crate for clustering instead of python scipy
RISCV support
#fuzzing

Alexey VishnyakovVishnyaSweet@infosec.exchange
2023-04-07

casr-libfuzzer: triage crashes in C/C++/Go/Python code found by libFuzzer/Atheris/go-fuzz

casr-libfuzzer -o out -- /fuzz_target

github.com/ispras/casr

#casr #fuzzing #libfuzzer #atheris #go #python #cpp

Alexey Vishnyakov boosted:
Andrey Fedotovanfedotoff@infosec.exchange
2023-03-22

github.com/ispras/casr/release
#casr 2.5.0, what's new:
#libcasr: library for crash triage, stacktrace parsing, severity estimation, and collecting crash reports.
Crash triaging for Go panics
AARCH64 support
#fuzzing

Alexey Vishnyakov boosted:
Andrey Fedotovanfedotoff@infosec.exchange
2023-03-14

My blog post about #fuzzing #go project golang/image: github.com/ispras/oss-sydr-fuz
0. Changing existing fuzz target to find new bugs.
1. Creating target for symbolic execution.
2. Approach for code coverage collection after fuzzing with go-fuzz libFuzzer.
3. Go panic triage with #casr.
4. Fix: github.com/golang/image/pull/1

Alexey Vishnyakov boosted:
Andrey Fedotovanfedotoff@infosec.exchange
2023-02-03

New casr 2.4.0 is available!
github.com/ispras/casr/release
casr-cli now provides a joint statistics all over reports!
casr-afl now copies crashes next to reports, produces casr reports in parallel and prints casr-cli joint statistics!
#casr #AFLplusplus

Alexey Vishnyakov boosted:
Andrey Fedotovanfedotoff@infosec.exchange
2022-12-24

Checkout new #casr 2.3.0 release!!!
github.com/ispras/casr
- rust panic support in casr-san/casr-gdb
- c++ exceptions support in casr-san/casr-gdb
- casr-python for creating CASR reports from python crashes🔥​

P. S. Merry Christmas! ❄️​❄️​❄️​
#fuzzing #afl #aflplusplus #python

Alexey VishnyakovVishnyaSweet@infosec.exchange
2022-12-15

Finally defended my PhD "Error detection in binary code with dynamic symbolic execution" 🎉

Alexey Vishnyakov boosted:
Peter N. M. Hansteenpitrh
2022-12-08

Fuzzing ping(8) … and finding a 24 year old bug. undeadly.org/cgi?action=articl

Alexey VishnyakovVishnyaSweet@infosec.exchange
2022-12-02

Sydr-Fuzz slides from today talk and demo video! New bugs in TensorFlow, PyTorch, Cairo, OpenJPEG, Poppler, ICU, Tarantool, Torchvision, etc.
vishnya.xyz/vishnyakov-ispraso
vishnya.xyz/vishnyakov-ispraso

Alexey Vishnyakov boosted:
Andrea Fioraldiandreafioraldi@infosec.exchange
2022-11-23

LibAFL QEMU full-system mode is a thing! Check out the example that fuzz a small ARM FreeRTOS firmware at github.com/AFLplusplus/LibAFL/

Next step: fast memory and devices snapshots

Alexey VishnyakovVishnyaSweet@infosec.exchange
2022-11-22

@dmnk @aflplusplus Btw, we are open to PRs in github.com/ispras/oss-sydr-fuz We can fuzz any target with sydr-fuzz in our infrastructure and give u the bugs to report!

Alexey VishnyakovVishnyaSweet@infosec.exchange
2022-11-22

@dmnk @aflplusplus We just open sourced Casr (a part of sydr-fuzz dynamic analysis pipeline). We don't have plans to open source other parts in near future. However, we may do so some day.

Alexey VishnyakovVishnyaSweet@infosec.exchange
2022-11-22

Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle arxiv.org/abs/2211.11595

85 new bugs in 22 open source projects. Dynamic analysis pipeline: hybrid #fuzzing with symbolic executor Sydr and libFuzzer or @aflplusplus, corpus minimization, error detection (out of bounds, integer overflow, etc.) via symbolic security predicates, collecting coverage, crash triaging (deduplication, clustering, severity estimation) with Casr: github.com/ispras/casr

FuzzBench: sydr-fuzz.github.io/fuzzbench
OSS-Sydr-Fuzz: github.com/ispras/oss-sydr-fuz

Alexey Vishnyakov boosted:
Andrey Fedotovanfedotoff@infosec.exchange
2022-11-21

At last, new casr 2.2.0 release with casr-afl!!!
Triaging crashes found by @aflplusplus as simple as it could be:
$ cargo install casr
$ casr-afl -i afl-out -o casr-out
$ casr-cli casr-out/cl1/<report_name>

github.com/ispras/casr

#casr #fuzzing #afl #AFLplusplus

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst