COPLAS talk: Alexandre Bartel, CONFUZZION: Towards Efficient JVM Fuzzing
Join us online as Alexandre Bartel from DIKU will give a COPLAS talk on the open-source tool CONFUZZION
Abstract
Current fuzzers can test a Java program, and even test the Java Virtual Machine itself. However, they are mostly designed to uncover common bugs and implementation errors such as the infamous unhandled NullPointerException. Our approach allows finding object-oriented flaws like type confusions which are relevant from a security point of view. It relies on a black-box mutation-based smart fuzzing on the Java Virtual Machine (JVM) with crafted semantically valid programs as input.
We have implemented our approach in an open-source tool called CONFUZZION and are able to generate syntactically and semantically correct Java classes to find, for example, the type confusion vulnerability of CVE-2017-3272 within 4 hours on commodity hardware.
Bio
Alexandre Bartel is assistant professor at DIKU.
Host: Fritz Henglein (DIKU)