Spread the word! @phrack.org CFP with demoscene cracktro is live. Turn up the volume and enjoy the awesome stylings of @PiotrBania with some hopefully inspiring text from phrack staff :)
phrack.org
#FUZZING'26 CALL FOR PAPERS
ββββββ
β¨ After 5 years, we will be again co-located with NDSS!
π fuzzing-workshop.github.io
π
11. Dec (Submission)
//cc @mboehme.bsky.social (MPI-SP), @ruijiemeng.bsky.social (CISPA), @rohan.padhye.org (CMU), LΓ‘szlΓ³ Szekeres (Google)
But only if we like the domain of your email address.
Must-read for fuzzing folks (read: tooling/algorithms/academia) by Addison Crump
addisoncrump.info/research/wha...
Thanks to Viet Hoang Luu's effort AFL++ just got IJON support: github.com/AFLplusplus/...
drops.dagstuhl.de/storage/01oa...
can we get this builtin in lldb please?
Our Big Sleep LLM Agent found critical vulns πππ #BigSleep
blog.google/technology/s...
cut my heap into pieces, this is my crash report:
allocation, no alignment
don't give a fuck if it faults on assignment
this is fatal abort()
I love this. I've been using dwarf data for a while now (I think the design space of "you have source, but you'd rather do binary analysis with dwarf on debug builds"-tools is kinda under explored). But I never treated dwarf as a database format to safe results in.
βοΈ I'll be at @icseconf.bsky.social this week β find me if you'd like to chat about all things fuzzing / binary analysis!
I'm proud to announce that myself and @AtipriyaBajaj have created the Workshop on Software Understanding and Reverse Engineering (SURE), which will be co-located at CCS 2025. sure-workshop.org/
Please follow our workshop account @sureworkshop and RT it for visibility :).
Our paper "Top Score on the Wrong Exam" paper will be presented at #ISSTA25 π£ in Trondheim!
πhttps://mpi-softsec.github.io/papers/ISSTA25-topscore.pdf
π§βπ»https://github.com/niklasrisse/TopScoreWrongExam
// @nrisse.bsky.social @fuzzing.bsky.social
As it turns out, the C compiler orphan-crushing machine offers no benefit: web.ist.utl.pt/nuno.lopes/p...
Seems like Atropos does most of that too - i.e. automatically inferring some kind of "spec" in a way - it just doesn't use OpenAPI, I think? (except for also having coverage feedback & snapshot).
What's the delta between this and Atropos? Not limited to PHP?
Have been making the exact same experience - tried very hard to use perplexity pro for a couple of days, hardly ever found a problem easy enough for the AI to solve, with some outlandishly easy things failing even on claude etc.
There's still time to submit to FUZZING'25! This year, we're accepting both the (now classic) registered reports _and_ new short papers (fuzzing nuggets). Deadline is now March 26th! fuzzingworkshop.github.io
futures.cs.utah.edu/papers/25ICS... by @snagycs.bsky.social and @gabriel-sherman.bsky.social Seems like a very sensible approach to harness generation with some impressive results. I'm looking forward to seeing more discussion about this approach :) (sorry for blatantly copying the twitter thing).
Now, if someone combines this paper with www.usenix.org/conference/u... (which already some similar stuff) I would totally expect that fuzzing outperforms static analysis on web-app security issues just as harshly as we know it to outperform static analysis on the native side.
Just earlier today I was talking to someone how we are missing out A LOT of power from dynamic language reflection/introspection capabilities in fuzzing, and then I saw this paper: nebelwelt.net/publications... - great timing & work @gannimo.bsky.social!
Next thing: a bunch of 'em go all "shocked pikatchu"over the realisation that there's a ton of ADHD and/or Autistic folks in CS π€£
And those that aren't, are usually friends with quite a few of those that are ...
Leude geht wΓ€hlen.
Vote whatever Elon didn't endorse
Check out ghostcell: plv.mpi-sws.org/rustbelt/gho... with the presentation: www.youtube.com/watch?v=jIbu... for a way to make 0 overhead, proven safe, cyclic datastructures with actual references in rust.
arxiv.org/abs/2502.12115 can't argue with the science on that one: LLM's are solving almost 60% of the manager tasks, but only 40% of SWE tasks :P
Super cool to see people build ontop of Nyx: neodyme.io/en/blog/hype...
Iβm very excited to announce that we at V8 Security have finally published our first version of Fuzzilli that understands Wasm!
Go check it out at https://github.com/googleprojectzero/fuzzilli.
While we still have a way to go in improving it, we think it shows a promising approach!
aischolar.0x434b.dev Pretty cool project by @434b.bsky.social: A neat web interface to explore security (and in particular: Fuzzing) papers with AI summaries. Seems super useful to get/stay up to date with recent papers :)
I got Linux running in a PDF file using a RISC-V emulator.
PDFs support Javascript, so Emscripten is used to compile the TinyEMU emulator to asm.js, which runs in the PDF. It boots in about 30 seconds and emulates a riscv32 buildroot system.
linux.doompdf.dev/linux.pdf
github.com/ading2210/li...
