Fuzzing complex input languages using context-free grammars
Jani "Aivo" KirmanenChief Development Officer at Silverskin
Random fuzzing is not sufficient for testing input languages that require parsing. We show how context-free grammars and their derivation trees can be utilized for generating syntactically correct but otherwise random input that is useful for testing parsers themselves and the application logic that relies on the parsed input.
Laptop, Python basics and code from fuzzingbook.org. A brief introduction to formal language theory (e.g. regular and context-free languages) and how it relates to fuzzing is given but it does not hurt to familiarize oneself with these topics beforehand.
In the workshop we are going to use Fuzzingbook for building fuzzers for context-free grammars. The easiest way to use Fuzzingbook is to download all the code from (https://www.fuzzingbook.org/dist/fuzzingbook-code.zip) and install all requirements
I use Jupyter Notebook for showing examples but you of course can use your favourite code editor.
Jani "Aivo" Kirmanen, Chief Development Officer at Silverskin
Jani is a seasoned application security researcher with passion for languages (both natural and synthetic). He is a PhD student at University of Jyväskylä and his research deals with using formal language theory to model software security vulnerabilities. Aside from all things cyber, he can also give you an introduction into astrophotography, like it or not.