Fuzzing Devices

Mark Gondree
Computer Science, SSU

Stevenson Hall 1300
12:00 PM - 12:50 PM

Many security exploits start with a program crash. Testing software using "fuzz testing" is an increasingly common practice in industry, especially as part of automated testing for continuous integration. We will discuss the basic ideas behind fuzz testing, some existing fuzzing frameworks, and some of the complexities when the system under test is a physical device that cannot be emulated. In particular, I'll summarize the process we followed for discovering and reporting a software flaw present in a widely-deployed industrial control system, leading to a previously unreported denial-of-service (DoS) vulnerability.