your software is too fuzzy

preview_player
Показать описание
Did you know you can just SCREAM at your code to find bugs? Yeah seriously it's that easy. In this video we'll talk about libfuzzer, which is a simple to use tool to write code that finds bugs in your code. In this video we write some code, find a bug, and patch it.

🔥🔥🔥 SOCIALS 🔥🔥🔥
  1. Low Level
  2. c programming
  3. libfuzzer
  4. llvm
  5. hackers
  6. software vulnerabilities
Рекомендации по теме
your software is 0:08:34

your software is too fuzzy

How to Make 0:00:20

How to Make Your Android Phone Look Like an iPhone #Shorts

Fuzzy Keymixing 101 0:00:30

Fuzzy Keymixing 101 #Short

BLURRY PHOTOS? 😰 0:00:26

BLURRY PHOTOS? 😰 Here's how to fix it!

How to get 0:00:58

How to get rid of brain fog, every single day (Part 1)

Does FPS drop 0:00:27

Does FPS drop in your AMD graphics card? Try this setting

Fix for fuzzy 0:03:57

Fix for fuzzy text with MacOS UI scaling on external displays

Avoid Ruining Your 0:00:39

Avoid Ruining Your Video Quality: CapCut Export Tips and Tricks

NODES 2024 Best 0:42:27

NODES 2024 Best Of: GenAI

Here’s why your 0:00:31

Here’s why your artwork is pixelated / Procreate tips and tricks

GitHub Protip: fuzzy 0:00:31

GitHub Protip: fuzzy file search

mic monitoring explained 0:00:18

mic monitoring explained

Fuzzy file finder 0:00:22

Fuzzy file finder allows you to search repos super fast! Did you know about it? 🔎

Top 4 Fuzzy 0:04:31

Top 4 Fuzzy CLIs

Fuzzy Dice In 0:00:12

Fuzzy Dice In Blender!!!

I'm sorry, little 0:00:22

I'm sorry, little ones 😔 #tofucute #plushies #plush #kawaii #kawaiiplush #plushtoys #kawaiishop...

TURN OFF HDR 0:00:30

TURN OFF HDR ON YOUR IPHONE FOR BETTER UPLOAD QUALITY 👀

Fuzzy Search v2 0:05:55

Fuzzy Search v2 - Even MORE Fuzzy Search features now available!

Fzf: Can Do 0:19:36

Fzf: Can Do Far More Than Just Fuzzy Find Your Files

Mythic + Gifted 0:00:17

Mythic + Gifted Auto Jelly... #shorts

Is your image 0:00:15

Is your image blurry? 😓

This is decent 0:08:57

This is decent vim fuzzy search plugin

Code editor hacks 0:00:48

Code editor hacks every developer wishes they knew sooner! #programming #vscode #webdevelopment

Screen Freeze | 0:00:33

Screen Freeze | Laptop Screen Freeze or Stuck | Reset Graphics Driver

Комментарии
Автор

I already yell around 5-10 times a day at my computer

Dev-Siri
Автор

Just for fun though, there's a footgun hidden in the example code, too. As the recv buffer has a hardcoded length limit of 1024 bytes, directly casting the input buffer into a struct that contains a user-controlled length field is not really a good idea. If somehow the codebase got updated in a certain way and the memcpy destination was a heap allocation, it may lead to information leak. E.g. ask the server to echo a 65535-byte data chunk from a 1024-byte input.

muB
Автор

"like literally yelling at the code" proceeds not to yell at the code

matthias
Автор

Why is fuzzing better than boundary tests?...after watching I withdraw my question.

millax-evyz
Автор

I love this type of videos where you show a useful tool and an example using this tool, and what's even cooler is the fact that using it you were able to detect a bug that wasn't intentional

piotrkaminski
Автор

Use -fsanitize=fuzzer, address and you should be able to find another bug in the parse code. If the input is less than the size of the struct you would read outside the memory. Does not always cause crash without address sanitizer. However not a bug in the program due to the receiving buffer size.

trexake
Автор

That's why I used to use unsigned everywhere by default, until negative values are explicitly required by design.
And yes, using e.g. -1 magic value to represent things like a non-existent index is a bad design. Don't do it.

mkvoq
Автор

Satisfied customer here, been doing this for the last 10 years

10/10 - my code has feared me ever since

uuu
Автор

It would be really funny if he said "there's no more bugs in this code" and libfuzzer just crashed.

holmybeer
Автор

Ah, there's a name for it. I do this regularly the manual way in my own projects, though granted those are all smaller projects where my scope of potential issues is "is there some way a user can force invalid data down this thing's throat". Useful to know if I ever manage to get a real job, lol(being a dev without a college degree is the dark souls of job hunting, I swear)

LunarSoul
Автор

Amazing brother, you have the gift of communicate complex concepts into simple terms. Thanks! Glad to find your channel! ;)

wecann.clinic
Автор

at first we code safely by yelling
in time elaborate rituals involving chanting, holy oils and incense is necessary to please the machine spirit and banish demonic bugs

GeoffryGifari
Автор

Well, because I am so good at messing up function calls by using function pointers and structs/unions, I need no help. The code would yell either way nevertheless.

markojojic
Автор

I didn't quite catch why 7:45 is an issue. Would anyone mind please clarifying?

darkrasen
Автор

why did i think we might actually be yelling at code?

mp_rho
Автор

2:38 in, I expect your issue is that you didn't check the length argument in your payload. This should pop up with many static analyzers. But I get it, it's just an example. Fuzzing is more for discovering weird edge cases and undefined behaviors as I understand it. Or I'm totally wrong and length was not the issue :D

romsthe
Автор

This is so cool, does something like this also exist in the Java world?

avishjha
Автор

I was hoping for Torvalds kind of screaming at someone else code, but I guess this is fine.

fulconandroadcone
Автор

id love a video of you describing your linux setup. i use wsl and customize very few things but would love more insight into your setup for vim and tmux/whatever multi shell youre using

romanferguson
Автор

“Port 1337” that took me a second. Very funny

owenheckmann