Why you should be using automated fuzzing to test for security issues in your code

December 12, 2019

Writing secure code that deals with potentially untrusted data (parsers, importers, etc) is always hard since there are many potential cases to take into account. One of the techniques used to improve the security of such code is fuzzing. Fuzzing involves providing invalid or random data to a given piece of code to test its behaviour. Modern fuzzers are smart enough to understand what needs to be changed in the input to make the code go through a different code path making testing faster and more complete. oss-fuzz is a Free set of tools to make fuzzing of C/C++ code easier. It is comprised of various scripts and docker images, which, for example, have the base system libraries already compiled with the sanitizers. Coupling a fuzzer with the compiler sanitizers (asan, ubsan, msan) gives even better results since these sanitizers will make sure the code is run more strictly. In this session we’ll show how to fuzz a C++ codebase, as well as give you an update on how Qt is using these tools.

TALK: Testing Your Code for Security Issues With Automated Fuzzing

SPEAKER: Albert Astals Cid

COMPANY: KDAB

TRACK: Tooling & Testing

Talk recorded at the Qt World Summit 2019 event in Berlin. #QtWS19 November 2019 - BCC 

Previous Video
Improve your code with Clang Tooling
Improve your code with Clang Tooling

Improving Your Code Using Clang Tooling -- Kevin Funk -- KDAB

Next Video
QSkinny - A new QtQuick framework focusing on vector graphics and dynamic theming
QSkinny - A new QtQuick framework focusing on vector graphics and dynamic theming

QSkinny – A New Approach for a QtQuick Framework - Peter Hartmann - COMPANY: Edelhirsch Software