bug hunting for normal people


Playlists: 'MCH2022' videos starting here / audio

A series of isolated problems encountered when attempting to fuzz software, in this case Adobe Reader (DC), and hackish solutions to said problems. Constructing a fuzzing pipeline capable of finding real bugs by stringing together freely available tools creating the bare minimum of glue.

Starting from target selection, moving over requirements for a given fuzzing campaign to smart input generation, briefly touching on scaling challenges and performance issues. This presentation describes a practical approach to creating a fuzzing pipeline with the purpose of finding real world bugs in closed source software, in this case Adobe Reader (dc). The approach taken is suitable for anyone with basic scripting capabilities, is easy to replicate, and leads to bug hunting capabilities without a doctoral degree or years of experience in vulnerability discovery.