CppCon 2015

At CppCon’2014 we presented the Sanitizers, a family of dynamic testing tools for C++. These tools allow you to find many stability and security bugs in C++ code, but they are only as good as your tests are. In this talk we will show how to improve your tests with guided fuzzing and how to protect your applications in production even if some bugs were not found. Fuzzing, or fuzz testing, is a surprisingly effective technique that allows you to discover new interesting test inputs. Coverage-guided fuzzing uses coverage-like code instrumentation to make fuzzing orders of magnitude more efficient. Taint-guided fuzzing goes even further by using taint tracking techniques. The next line of defense may be incorporated directly into production: the Control Flow Integrity instrumentation allows you to protect your program from corrupted function pointers (including pointers to virtual tables) and separating stack variables from the call stack protects from corrupted return addresses -- both with near-zero overhead. We will concentrate on particular tools implemented in the opensource LLVM toolchain (libFuzzer, DataFlowSanitizer, -fsanitize=cfi,safe_stack), but will also discuss several alternatives.