VF2017: Fuzzing and dynamic code analysis 2017-07-13T10:11:11+00:00
Conference: Verification Futures 2017 (click here to see full programme)
Speaker: Richard Storer (Senior Security Consultant), MathEmbedded Ltd
Presentation Title: Finding Security Vulnerabilities by Fuzzing and Dynamic Code Analysis
Abstract: Fuzzing, stressing a program with random input, has been a useful black-box testing technique since 1989.
More recent fuzzers use white-box code coverage or symbolic execution techniques to discover how random changes in input affect the program’s control flow. When combined with dynamic code analysis, this approach is particularly good at finding the memory access errors; buffer overflow, null pointer dereference, etc. that are frequent causes of security vulnerabilities.
In this talk we examine why this approach is so powerful and provide some tips for using it effectively.

  • Fuzzing tools can discover test data that hit all paths through your code.
  • Running instrumented code with fuzzed test data pinpoints memory access errors to source code lines.
  • To enable complete coverage by fuzzers, some validation code may need to be disabled.
Speaker Bio: Richard Storer has been developing and managing embedded software projects for over 20 years. He now specialises in security analysis of embedded systems and security training for software engineers and architects for MathEmbedded Ltd, a leading consultancy in embedded software security. Recent customers include consumer electronics, automotive, white goods and silicon manufacturers. Richard has a PhD in Electronic Engineering from Bristol University.
Slides
T&VS NEWSLETTER SIGN-UP
The T&VS newsletters inform you about industry news, events and information from T&VS. No spam, we promise and it is always easy to unsubscribe.
We never share your information. Read our Privacy Statement
Interested in Formal Verification?
Then why not attend the TVS Formal
Verification Bootcamp training?
The 2-day Formal Verification Bootcamp is for design and verification engineers looking to enhance their knowledge of formal verification and to learn how to write effective assertions to find and fix bugs. The course is a mix of presentations and hands-on development exercises.
Bootcamp Enquiry Form
If you are interested in receiving additional information on the course then simply email Mike Bartley (TVS CEO and Course Leader) by entering your details below.
Interested in SystemC?
FREE SystemC UVM Library Now Available
The TVS SystemC UVM library closely mimics UVM but gives users a license free UVM-based verification environment.
Have your product requirements been successfully tested and implemented?
Find out how asureSIGN can help you implement a successful Requirements Driven Verification and Test Strategy by visiting asureSIGN or enter your details and we will be in touch.
Course Dates and Pricing
To receive additional information, including course dates and pricing, please contact our training team who will be happy to help.
Download Request
Please complete the following form then click 'submit' to access the download.
Presentation Request
Please complete the following form then click 'submit' to gain access to the presentations.
DOWNLOAD REQUEST
Please complete the following form and then click 'submit' to gain access to the download.
FREE QA ASSESSMENTS
Did you get what you were looking?

Let the testing experts help. We will run a FREE QA assessment which will include our top 5 recommendations to help maximise your testing.