AppSec Conference | 100% ONLINE
Quickly and efficiently build the materials you need to support your inbound marketing strategy. Drag and drop building blocks including testimonials, forms, calls-to-action, and more.
Fuzzcon Europe is an uprising application security testing conference, bringing together developers, DevOps Engineers, and security experts to make software more reliable and secure.
More than 1100 developers and security experts attended FuzzCon Europe 2020.
by leading security experts from the software industry and research.
in coding sessions focused on real use cases and challenges.
Format
Welcome and Introduction
Session Time
4:00- 4:15 pm (CET)
Speakers
Sergej Dechand
____________________
Abstract
Sergej Dechand is CEO and co-founder of Code Intelligence but he also an expert with years of experience in software testing and usable security at Frauenhofer FKIE.
In this first session, he will give us a short and entertaining introduction to fuzzing and automated security testing.
What are current pain points and challenges of modern security testing? And how can we support developers to find and fix bugs as early as possible?
Format
Scientific Talk
Session Time
4:15 - 4:45 pm (CET)
Speakers
Thuan Pham, University of Melboune
____________________
Abstract
Parallel coverage-guided greybox fuzzing is the most common setup for vulnerability discovery at scale. However, so far it has received little attention from the research community compared to single-mode fuzzing, leaving open several problems, particularly in its task allocation strategies. Current approaches focus on managing micro tasks, at the seed input level, and their task division algorithms are either ad-hoc or static.
In this talk, we present our new idea to address these problems. We leverage research on graph partitioning and search algorithms to propose a systematic and dynamic task allocation solution that works at the macro-task level.
We implemented a prototype tool called AFLTeam. In our preliminary experiments on well-tested benchmarks, AFLTeam achieved higher code coverage (up to 16.4% branch coverage improvement) compared to the default parallel mode of AFL and discovered zero-day bugs in FFmpeg and JasPer toolkits.
Click here to register for FuzzCon Europe 2021
Format
Coding Session
Session Time
4:45 - 5:15 pm (CET)
Speakers
Madalin Ilie
____________________
Abstract
APIs are everywhere. The session will describe a tool I wrote called CATS which removes the boring part out of API testing, by letting QA Engineers focused on the creative side of testing.
By using a simple and minimal syntax, with a flat learning curve, CATS enables you to generate hundreds of API tests within seconds with no coding effort. All tests cases are generated and run automatically based on a pre-defined set of 72 Fuzzers.
The Fuzzers cover different types of testing like: negative testing, boundary testing, structural validations, security and even end-to-end functional flows.
Click here to register for FuzzCon Europe 2021
Format
Scientific Talk
Session Time
5:15 - 6:00 pm (CET)
Speakers
Rafael Dutra & Rahul Gopinath, CISPA Helmoltz Center for Information Security
____________________
Abstract
In this talk, we present several ways in which fuzzers can be enhanced with an input language specification, in order to enable focused fuzzing and reach deeper parts of the code.
First, we focus on input languages which are expressed as context-free grammars, as well as refinements of such grammars. Here, we show how those grammars can be mined from the program execution, as well as abstracted to capture particular behaviors, such as a failure-inducing pattern. We also show how the original input grammar can be refined to produce the pattern of interest, or even a boolean combination of such patterns, enabling a full algebra of inputs. Next, we focus on the fuzzing of binary file formats, such as MP4 or ZIP. We show how such formats can be effectively represented using binary templates, which are a format specification used by the 010 Editor.
Our new tool FormatFuzzer can turn those binary templates into highly efficient parsers, mutators and generators for the specified format. This can be integrated into existing fuzzers such as AFL++ to boost their efficacy and detect new memory errors.
Format
Scientific Talk
Session Time
6:00 - 6:30 pm (CET)
Speakers
Lea Gröber, CISPA Helmholtz Center for Information Security
____________________
Abstract
The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks.
However, research has shown that the vast majority of all policies in the wild are trivially bypassable. To uncover the root causes behind the omnipresent misconfiguration of CSP, we conducted a qualitative study involving 12 real-world Web developers.
By combining a semi-structured interview, a drawing task, and a programming task, we were able to identify the participant’s misconceptions regarding the attacker model covered by CSP as well as roadblocks for secure deployment or strategies used to create a CSP.
Format
Coding Session
Session Time
6:30 - 7:00 pm (CET)
Speakers
Fabian Meumertzheim, Senior Software Engineer, Code Intelligence
____________________
Abstract
Since Code Intelligence’s Java fuzzer “Jazzer” has been open-sourced in Febrary 2021, it has found over 200 bugs and vulnerabilities in popular open-source libraries such as jsoup, Jackson and Apache Commons. With its integration into OSS-Fuzz, Google’s open-source fuzzing platform, all these projects are continuously fuzzed for hundreds of CPU hours a day.
In this talk, I want to highlight some of the features that Jazzer has gained since its initial release:
Format
Coding Session
Session Time
7:00 - 7:30 pm (CET)
Speakers
Paul Butcher, AdaCore
____________________
Abstract
For obvious reasons, civilian aerospace is steeped in safety regulation. Long-standing international governing bodies mandate and oversee the specification, design and implementation of civil avionics such that failure conditions, that could lead to safety hazards, are identifiable, assessed and mitigated.
This talk will discuss considerations over why international aerospace regulatory bodies felt additional guidelines, that combine aviation safety and security, were needed in the form of a "Security Airworthiness Process".
Through the HICLASS UK research group, AdaCore has been developing security focused software development tools that are aligned with the objectives stated within the avionics security standards. In addition, we have been developing further guidelines that describe how vulnerability identification and security measure quality assessment activities can be described within a Plan for Security Aspects of Certification.
Click here to register for FuzzCon Europe 2021
Format
Fuzzing Use Case
Session Time
7:30 - 8:00 pm (CET)
Speakers
Philippe Antoine, Catena cyber
____________________
Abstract
Fuzzing is especially relevant for Suricata, a Network Intrusion Detection System, as Suricata parses and processes a vast number of complex formats.
Even if fuzzing has already been used for several years, it keeps on finding bugs in both old and new code.
This talk will cover which improvements and tuning were brought to the fuzzing framework and could be applied to similar open-source projects, and will give some results about the latest bugs found by fuzzing.
Format
Fuzzing Use Case
Session Time
08:00 - 08:30 pm (CET)
Speakers
Raghudeep Kannavara, Intel
____________________
Abstract
The Real SIP Fuzzer is a fuzzer framework for the Soft IPs (SIP). SIPs are reusable unit of logic, generally offered as synthesizable RTL models, usually developed in Verilog. Fuzzing is an automated testing technique that inputs invalid, random data to a target under test (e.g., software, firmware, web service APIs etc).
Fuzzing stimuli to SIP Verilog models in a simulation environment is challenging primarily because simulation is slow. Even if test cases are generated in parallel, simulation needs to happen in parallel to avoid a bottleneck, along with enabling coherency between different stimulus generators and simulations to avoid repetition of test cases. This is not easily scalable. FPGA models are very useful in enabling faster verification, but require efforts to set up emulation or FPGA prototype.
Now, we introduce theRealSIPfuzzer to explore potential solutions to *some* issues mentioned earlier, using techniques to convert Verilog code to behavioral C++ models whose inputs can be fuzzed using coverage driven fuzzers to identify interesting misbehaviors such as SIP hangs (undefined behavior) and violation of defined rules (unexpected outputs).
Format
Coding Session
Session Time
8:30 - 9:00 pm (CET)
Speakers
Andrea Fioraldi & Dominik Maier, LibAFL
____________________
Abstract
In this talk, we present LibAFL, a library to build scalable, extendable fuzzers in Rust.
LibAFL can fuzz on Windows, Linux, MacOS, Android, and even embedded devices and offers a wide variety of source and binary-only instrumentation modes. Before LibAFL, the common path to implement a novel fuzzing idea was to fork AFL's monolithic codebase. This spawned countless improvements that cannot be combined.
To make new research compatible, we worked for over a year on a framework that allows complete code reuse, similar to how LLVM allows you to stack own passes onto existing ones (in theory) without issues. Instead of a command line tool one-trick-pony, LibAFL allows security researchers to slot the perfect fuzzer for their target together. They can combine our algorithms, implemented as ready-to-use blocks, with their own, in a completely orthogonal way.
We present the ideas behind LibAFL, and how to use and extend it for your own projects. Save the date!
Get access to all records and learn more about current trends in IT security testing and secure application development.
LibAFL
Code Intelligence
CISPA
CISPA
Catena cyber
Jazzer
Endava
FormatFuzzer
Quickly and efficiently build the materials you need to support your inbound marketing strategy. Drag and drop building blocks including testimonials, forms, calls-to-action, and more.
What Developers Say About FuzzCon Europe
Interesting to see how an entirely new industry is now growing purely around fuzzing. In conclusion: a very slick event - well done to all involved!
Great conference great information, thanks for bringing us the best!
Great talks and lots of interesting tools/techniques to follow up on. Great job organizers and speakers :-).
I really liked the efficiency of the conference - it went very smoothly without any interruptions.
Quickly and efficiently build the materials you need to support your inbound marketing strategy. Drag and drop building blocks including testimonials, forms, calls-to-action, and more.
CEO & FOUNDER
Code Intelligence
CEO & FOUNDER
Code Intelligence
CEO & FOUNDER
Code Intelligence
CEO & FOUNDER
Code Intelligence
"Fuzzing" or "fuzz testing" is currently the most effective testing approach to automatically detect security and stability issues in software. It involves providing invalid, unexpected, or random data as inputs to a computer program.
Modern fuzzing engines (such as AFL++, or Jazzer) do not just use random inputs, but smart algorithms tailoring the input to increase the amount of code which is tested/covered by the fuzzer.
October 21st, 2021, time tba (GMT-7).
Clickmeeting. It's a browser-based conference platform, so you don't have to worry about any installation. All you need to join FuzzCon Europe 2021 is the conference URL that we will provide in your email invitation. Just register for the event, and you're good to go! Learn more about Clickmeeting.
Yes! Every session got recorded. Just sign up, and we will provided you with the recordings.
Yes! All sessions will be recorded, and we will provide a live stream on Youtube. If you miss the opening of a talk, you can always rewind the live stream or watch the recording afterwards.
You're welcome! You can contact us anytime via email.