Effective File Format Fuzzing – Thoughts, Techniques and Results (Black Hat Europe 2016)


  • Language: English
  • Conference: Black Hat Europe
  • Location: London, United Kingdom
  • Date: November 2016
  • Speaker(s): Mateusz ‘j00ru’ Jurczyk




Fuzzing, as a native software testing technique, is an extremely popular approach to vulnerability hunting in today’s security field. The reasons are plenty: it is relatively easy to start with, features out-of-the-box tools which can be used with little to no development, only requires an initial time to set up, scales extremely well, and most importantly – often achieves good results against modern software. All of the qualities make fuzzing complementary to manual security reviews, if not replacing them altogether in some cases.

However, fuzzing also follows Bushnell’s law, as it is “easy to learn, but hard to master”. While it is trivial to flip bits in the input data and wait for programs to crash, it is similarly easy to forget that there is much more to it. The overall process consists of a number of stages, and the final outcome is a product of the effectiveness of all of them. In order to get the most out of fuzzing, it is necessary to answer many questions: How to generate or mutate the inputs? How to create an initial corpus of data? How to detect software failures? How to minimize the offending samples, and recognize unique bugs? How to deal with programs expecting user interaction, using data consistency checks, compression or encryption? The list goes on and on.

The aim of the talk is to address each question as comprehensively as possible, sharing the methods, ideas, measurements and algorithms we have developed during many years spent on fuzzing both open and closed-source software. The information will be supported by our corresponding results of two years of fuzzing FreeType, Wireshark, Hex-Rays IDA Pro, Adobe Reader, Adobe Flash Player and the Windows kernel (among other software), for a total of over 130 vulnerabilities fixed in a wide range of commits and bulletins. We will demystify fuzzing as a black box technique that “just works” regardless of the technical details, and show how each of its parts can be taken apart and optimized for maximum performance, enabling us to find new waves of bugs in mature code bases which could have been previously thought of as fuzz-clean.