FuzzCon_2021-Logo

Ship Secure Software Fast

AppSec Conference | 100% ONLINE

WHY ATTEND FUZZCON EUROPE?

Fuzzcon Europe is an uprising application security testing conference, bringing together developers, DevOps Engineers, and security experts to make software more reliable and secure.

JOIN THE CONFERENCE

More than 1100 developers and security experts attended FuzzCon Europe 2020.

SOURCE_Events

GET INSPIRED

by leading security experts from the software industry and research.

SOURCE_Code

ENGAGE

in coding sessions focused on real use cases and challenges.

Slack
MEET THE COMMUNITY

Join our Slack community to network and exchange ideas with other experts.

Agenda and Program

4 - 9 pm, European Central Time (CET) 

Shipping Secure Software Should Be Easier!

Format
Welcome and Introduction

Session Time
4:00- 4:15 pm (CET)

Speakers
Sergej Dechand
____________________

Abstract
Sergej Dechand is CEO and co-founder of Code Intelligence but he also an expert with years of experience in software testing and usable security at Frauenhofer FKIE.

In this first session, he will give us a short and entertaining introduction to fuzzing and automated security testing. 

What are current pain points and challenges of modern security testing? And how can we support developers to find and fix bugs as early as possible? 

 

Click here to register for FuzzCon Europe 2021

Towards Systematic and Dynamic Task Allocation for Collaborative Parallel Fuzzing

Format
Scientific Talk

Session Time
4:15 - 4:45 pm (CET)

Speakers
Thuan Pham, University of Melboune
____________________

Abstract

Parallel coverage-guided greybox fuzzing is the most common setup for vulnerability discovery at scale. 
However, so far it has received little attention from the research community compared to single-mode fuzzing, leaving open several problems, particularly in its task allocation strategies. Current approaches focus on managing micro tasks, at the seed input level, and their task division algorithms are either ad-hoc or static.

In this talk, we present our new idea to address these problems. We leverage research on graph partitioning and search algorithms to propose a systematic and dynamic task allocation solution that works at the macro-task level.

We implemented a prototype tool called AFLTeam. In our preliminary experiments on well-tested benchmarks, AFLTeam achieved higher code coverage (up to 16.4% branch coverage improvement) compared to the default parallel mode of AFL and discovered zero-day bugs in FFmpeg and JasPer toolkits.


Click here to register for FuzzCon Europe 2021

API level fuzzing: how to harden your REST endpoints!

Format
Coding Session

Session Time
4:45 - 5:15 pm (CET)

Speakers
Madalin Ilie
____________________

Abstract

APIs are everywhere. The session will describe a tool I wrote called CATS which removes the boring part out of API testing, by letting QA Engineers focused on the creative side of testing.

By using a simple and minimal syntax, with a flat learning curve, CATS enables you to generate hundreds of API tests within seconds with no coding effort. All tests cases are generated and run automatically based on a pre-defined set of 72 Fuzzers.

The Fuzzers cover different types of testing like: negative testing, boundary testing, structural validations, security and even end-to-end functional flows.


Click here to register for FuzzCon Europe 2021

 
Input Languages for Effective and Focused Fuzzing

Format
Scientific Talk

Session Time
5:15 - 6:00 pm (CET)

Speakers
Rafael Dutra & Rahul Gopinath, CISPA Helmoltz Center for Information Security
____________________

Abstract

In this talk, we present several ways in which fuzzers can be enhanced with an input language specification, in order to enable focused fuzzing and reach deeper parts of the code.

First, we focus on input languages which are expressed as context-free grammars, as well as refinements of such grammars. Here, we show how those grammars can be mined from the program execution, as well as abstracted to capture particular behaviors, such as a failure-inducing pattern. We also show how the original input grammar can be refined to produce the pattern of interest, or even a boolean combination of such patterns, enabling a full algebra of inputs. Next, we focus on the fuzzing of binary file formats, such as MP4 or ZIP. We show how such formats can be effectively represented using binary templates, which are a format specification used by the 010 Editor.

Our new tool FormatFuzzer can turn those binary templates into highly efficient parsers, mutators and generators for the specified format. This can be integrated into existing fuzzers such as AFL++ to boost their efficacy and detect new memory errors.

Click here to register for FuzzCon Europe 2021

12 Angry Developers - A Qualitative Study on Developers’ Struggles with CSP

Format
Scientific Talk

Session Time
6:00 - 6:30 pm (CET)

Speakers
Lea Gröber, CISPA Helmholtz Center for Information Security
____________________

Abstract

The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks.

However, research has shown that the vast majority of all policies in the wild are trivially bypassable. To uncover the root causes behind the omnipresent misconfiguration of CSP, we conducted a qualitative study involving 12 real-world Web developers.

By combining a semi-structured interview, a drawing task, and a programming task, we were able to identify the participant’s misconceptions regarding the attacker model covered by CSP as well as roadblocks for secure deployment or strategies used to create a CSP.

Click here to register for FuzzCon Europe 2021

Jazzer 2.0: Taking Java Fuzzing to the Next Level

Format
Coding Session

Session Time
6:30 - 7:00 pm (CET)

Speakers
Fabian Meumertzheim, Senior Software Engineer, Code Intelligence
____________________

Abstract

Since Code Intelligence’s Java fuzzer “Jazzer” has been open-sourced in Febrary 2021, it has found over 200 bugs and vulnerabilities in popular open-source libraries such as jsoup, Jackson and Apache Commons. With its integration into OSS-Fuzz, Google’s open-source fuzzing platform, all these projects are continuously fuzzed for hundreds of CPU hours a day. 

In this talk, I want to highlight some of the features that Jazzer has gained since its initial release: 

  • macOS and Windows support 
  • Autofuzz – start fuzzing with just a .jar and a method name! 
  • Bug detectors for certain high-severity vulnerability classes (e.g. unsafe deserialization/reflection) 


Click here to register for FuzzCon Europe 2021

Fuzzing for Security Airworthiness

Format
Coding Session

Session Time
7:00 - 7:30 pm (CET)

Speakers
Paul Butcher, AdaCore
____________________

Abstract

For obvious reasons, civilian aerospace is steeped in safety regulation. Long-standing international governing bodies mandate and oversee the specification, design and implementation of civil avionics such that failure conditions, that could lead to safety hazards, are identifiable, assessed and mitigated.

This talk will discuss considerations over why international aerospace regulatory bodies felt additional guidelines, that combine aviation safety and security, were needed in the form of a "Security Airworthiness Process".

Through the HICLASS UK research group, AdaCore has been developing security focused software development tools that are aligned with the objectives stated within the avionics security standards. In addition, we have been developing further guidelines that describe how vulnerability identification and security measure quality assessment activities can be described within a Plan for Security Aspects of Certification.


Click here to register for FuzzCon Europe 2021

Keeping on Fuzzing and Fixing Suricata

Format
Fuzzing Use Case

Session Time
7:30 - 8:00 pm (CET)

Speakers
Philippe Antoine, Catena cyber
____________________

Abstract

Fuzzing is especially relevant for Suricata, a Network Intrusion Detection System, as Suricata parses and processes a vast number of complex formats.

Even if fuzzing has already been used for several years, it keeps on finding bugs in both old and new code.

This talk will cover which improvements and tuning were brought to the fuzzing framework and could be applied to similar open-source projects, and will give some results about the latest bugs found by fuzzing.

Click here to register for FuzzCon Europe 2021

theRealSIPfuzzer

Format
Fuzzing Use Case

Session Time
08:00 - 08:30 pm (CET)

Speakers
Raghudeep Kannavara, Intel
____________________

Abstract

The Real SIP Fuzzer is a fuzzer framework for the Soft IPs (SIP). SIPs are reusable unit of logic, generally offered as synthesizable RTL models, usually developed in Verilog. Fuzzing is an automated testing technique that inputs invalid, random data to a target under test (e.g., software, firmware, web service APIs etc).

Fuzzing stimuli to SIP Verilog models in a simulation environment is challenging primarily because simulation is slow. Even if test cases are generated in parallel, simulation needs to happen in parallel to avoid a bottleneck, along with enabling coherency between different stimulus generators and simulations to avoid repetition of test cases. This is not easily scalable. FPGA models are very useful in enabling faster verification, but require efforts to set up emulation or FPGA prototype.

Now, we introduce theRealSIPfuzzer to explore potential solutions to *some* issues mentioned earlier, using techniques to convert Verilog code to behavioral C++ models whose inputs can be fuzzed using coverage driven fuzzers to identify interesting misbehaviors such as SIP hangs (undefined behavior) and violation of defined rules (unexpected outputs).

Click here to register for FuzzCon Europe 2021

LibAFL: The Advanced Fuzzing Library

Format
Coding Session

Session Time
8:30 - 9:00 pm (CET)

Speakers
Andrea Fioraldi & Dominik Maier, LibAFL
____________________


Abstract
In this talk, we present LibAFL, a library to build scalable, extendable fuzzers in Rust.

LibAFL can fuzz on Windows, Linux, MacOS, Android, and even embedded devices and offers a wide variety of source and binary-only instrumentation modes. Before LibAFL, the common path to implement a novel fuzzing idea was to fork AFL's monolithic codebase. This spawned countless improvements that cannot be combined.

To make new research compatible, we worked for over a year on a framework that allows complete code reuse, similar to how LLVM allows you to stack own passes onto existing ones (in theory) without issues. Instead of a command line tool one-trick-pony, LibAFL allows security researchers to slot the perfect fuzzer for their target together. They can combine our algorithms, implemented as ready-to-use blocks, with their own, in a completely orthogonal way.

We present the ideas behind LibAFL, and how to use and extend it for your own projects. Save the date!

FuzzCon_Logo
THIS WAS FUZZCON EUROPE 2021!

Get access to all records and learn more about current trends in IT security testing and secure application development.

Speakers at FuzzCon Europe 2021

 

Raghudeep Kannavara
Raghudeep Kannavara

Intel

Paul Butcher
Paul Butcher

AdaCore

Thuan Pham
Thuan Pham

University of Melbourne

Andrea Fioraldi
Andrea Fioraldi

LibAFL

Dominik Maier
Dominik Maier

LibAFL

sergejdechand
Sergej Dechand

Code Intelligence

Lea Theresa Gröber
Lea Gröber

CISPA

Raul Gopinath
Rahul Gopinath

CISPA

Philippe Antoine
Philippe Antione

Catena cyber

Fabian Meumertzheim
Fabian Meumertzheim

Jazzer

Madalin Ilin-1
Madalin Ilie

Endava

Raffael_Dutra__1_-removebg-preview-1-1
Rafael Dutra

FormatFuzzer

All FuzzCon Europe talks got recorded
COUDN'T MAKE IT TO THE CONFERENCE?
No problem! We recorded all talks. Sign up and we will send you the recordings.

FEEDBACK

What Developers Say About FuzzCon Europe

left-quote Created with Sketch.

Interesting to see how an entirely new industry is now growing purely around fuzzing. In conclusion: a very slick event - well done to all involved!

FuzzCon_Logo_rund_weiß
FuzzCon Europe 2020
left-quote Created with Sketch.

Great conference great information, thanks for bringing us the best!

FuzzCon_Logo_rund_weiß
FuzzCon Europe 2020
left-quote Created with Sketch.

Great talks and lots of interesting tools/techniques to follow up on. Great job organizers and speakers :-).

FuzzCon_Logo_rund_schwarz
FuzzCon Europe 2020
Automotive Edition
left-quote Created with Sketch.

I really liked the efficiency of the conference - it went very smoothly without any interruptions.

FuzzCon_Logo_rund_weiß
FuzzCon Europe 2021
WebSecurity Edition

SPEAKER

sergejdechand1

SERGEJ DECHAND

CEO & FOUNDER
Code Intelligence

sergejdechand1

SERGEJ DECHAND

CEO & FOUNDER
Code Intelligence

sergejdechand1

SERGEJ DECHAND

CEO & FOUNDER
Code Intelligence

sergejdechand1

SERGEJ DECHAND

CEO & FOUNDER
Code Intelligence

FAQs

Frequently asked Questions

What is Fuzzing?

"Fuzzing" or "fuzz testing" is currently the most effective testing approach to automatically detect security and stability issues in software. It involves providing invalid, unexpected, or random data as inputs to a computer program

Modern fuzzing engines (such as AFL++, or Jazzer) do not just use random inputs, but smart algorithms tailoring the input to increase the amount of code which is tested/covered by the fuzzer.

Read more about fuzzing.

When Did FuzzCon Europe Take Place?

October 21st, 2021, time tba (GMT-7).

What Event Platform Got Used for the Online Event?

Clickmeeting. It's a browser-based conference platform, so you don't have to worry about any installation. All you need to join FuzzCon Europe 2021 is the conference URL that we will provide in your email invitation. Just register for the event, and you're good to go! Learn more about Clickmeeting

Did the Event Get Recorded?

Yes! Every session got recorded. Just sign up, and we will provided you with the recordings. 

I Live In a Different Time Zone. Can I Still Participate?

Yes! All sessions will be recorded, and we will provide a live stream on Youtube. If you miss the opening of a talk, you can always rewind the live stream or watch the recording afterwards.

I Have More Questions. How Do I Contact the Conference Team?

You're welcome! You can contact us anytime via email.

GET ACCESS TO ALL TALKS

We recorded all talks! Sign up and we will send you the recordings.

 

Register for FuzzCon Europe 2021 Recordings