In case you missed the talks, their recordings have been released:
https://video.fosdem.org/2026/ub5132/BHNWLN-rosa-backdoor-detector.mp4
https://video.fosdem.org/2026/h2213/BYACG8-automatic-backdoor-detection-in-ci.mp4
#Fuzzing
The video of the talk is now available here: https://video.fosdem.org/2026/ub5132/BHNWLN-rosa-backdoor-detector.av1.webm
Check it out if you're in #security and/or #fuzzing. I guarantee it will be worth your time and you'll have fun too!
WOW! Full #security devroom at #FOSDEM, for the presentation of "ROSA: finding #backdoors with #fuzzing" by my fellow co-authors @plumtrie and M. Marcozzi.
More about this work in the full paper at https://arxiv.org/abs/2505.08544 (#openaccess, of course)
Justus Wilhelm Perlwitz's talk from #TenguCon 2.0 on QEMU and AFL++ fuzzing for MIPS-based networking equipment is available now!
Check it out!
#tengusec #Hacking #InfoSec #qemu #fuzzing #MIPS #networking #tokyo #CyberSecurity
Fuzzing PostgreSQL at the front door 🔍
Adam Wołk Microsoft shows how fuzzing uncovers edge-case bugs in libpq and #PgBouncer. Learn how to build harnesses, mutate protocol inputs, and harden Postgres networking code against real-world failures. https://p2d2.cz/en/talks/knocking_at_the_door_fuzzing_libpq_and_pgbouncer/
#libpq #Fuzzing #DatabaseSecurity #PostgresDev#OpenSource #DBA #DeveloperTools
Hej!
I have recently write for no particular reason my version of ffuf, wfuzz, dirbuster and such, named DirNutek in #rustlang . It’s open-source and completely free. Don’t hesitate to try it out for yourself or skim through the code and drop your issues or add something new.
Spoiler. I wrote this using only Gemini CLI #gemini and had to help it during development only once or twice.
Published my first PyPI package today, called lafleur.
#lafleur is a specialized CPython JIT fuzzer that uses a coverage-guided, evolutionary approach. It executes test cases, observes their effect on the JIT's state by analyzing verbose trace logs, and uses that feedback to guide its mutations, becoming smarter at finding interesting code paths over time.
Let me know if you use it or have any questions.
https://pypi.org/project/lafleur/
https://github.com/devdanzin/lafleur
All #fuzzing papers: we improved coverage by 0.1025% but discovered 100 new previously unknown vulnerabilities! 😂
Нечёткое тестирование свойств
Есть две категории программистов. Первая пишет тесты, вторая работает. Шутейка, конечно, на троечку, но в каждой байке, застрявшей в пабликах мёртвых заархивированных форумов, под пылью и нафталином, — можно нащупать слой гранита настоящей правды. Модное ныне «покрытие кода тестами» напоминает попытку оклеить айсберг новогодней мишурой — вроде и весело, но Титаник все равно пойдет на дно. Я собираюсь рассказать о том, как правильно тестировать код в изоляции (интеграционные тесты — зверь из соседнего вольера, и о нем — в другой раз). Для этого нам потребуется пара определений. Фаззинг (от английского fuzzing ) — это способ тестирования, при котором программе скармливают огромные объемы случайных, полуслучайных или вообще намеренно испорченных данных, с надеждой выявить уязвимости или баги. Изначально этот метод применялся в академической среде для поиска дыр в безопасности, но быстро перекочевал в руки здравомыслящих разработчиков. Property-based testing , в свою очередь, представляет собой подход к тестированию, где вместо проверки конкретных примеров типа «дважды два — четыре» мы формулируем общие свойства системы. Например: «если функция принимает список и возвращает список, то длина результата не должна превышать длину входа». А дальше уже инструмент генерирует тысячи, миллионы вариантов входных данных и проверяет, соблюдается ли это условие. Taste it!
#Bugs that survive the heat of continuous #fuzzing by @GitHubSecurityLab
I've added the slides and the source code for the Sokoban game to the links for my presentation; it appears on the app, but seemingly not the website... For reference, they are:
Links
Source Code (wasm)
Source Code (web)
Slides
Sokoban Fuzzer
I'll be changing out the sokoban puzzle every 30 minutes from hereon out :)
#39c3 #fuzzing
Very cool talk on fuzzers - reminds me of what the angr community does:
https://events.ccc.de/congress/2025/hub/en/event/detail/demystifying-fuzzer-behaviour
From Coverage to Causes: Data-Centric Fuzzing for JavaScript Engines:
(paper) https://arxiv.org/pdf/2512.18102
(project) https://github.com/KKGanguly/DataCentricFuzzJS
From Coverage to Causes: Data-Centric Fuzzing for JavaScript Engines:
(paper) https://arxiv.org/pdf/2512.18102
(project) https://github.com/KKGanguly/DataCentricFuzzJS
AFL++ 4.35c release! Complete hidden coverage gathering, GUIFuzz++ support, IJON for qemu, various fixes! https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.35c #fuzzing #fuzzer
SQLite's #testing process is like a buffet of #nerdy #delights, offering everything from #SQL #fuzzing to #crash #testing 🍽️. It's a wonder they didn't list "testing the patience of readers" among their rigorous methods. Maybe next time they'll just use the tried-and-true "cross your fingers and hope for the best" approach 🤞.
https://sqlite.org/testing.html #SQLite #HackerNews #ngated
There's a researcher, Jiang Yuancheng, who's doing a great work finding CPython crashes and memory leaks: https://github.com/python/cpython/issues?q=is%3Aissue%20author%3AYuanchengJiang
They've come up with a very clever idea for a new way of fuzzing, made a fine tool out of it, and are reaping great results.
Fuzzing can be a diminishing returns endeavor: you only have so many bugs to find. Their approach has shown itself to cover different areas and kinds of issues well, as shown by their track record.
Kernel fuzzing on Mac with syzkaller
Guide to build a VM, add a vulnerable driver and crash it using syzkaller from macOS.
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst