Mix Assertion, Logging, Unit Testing and Fuzzing with ZeroErr Build Safer Modern C++ Application Speaker: Xiaofan Sun Date: Sep 19, 2024Self-Introduction • Got my Ph.D. from UC, Riverside capture additional context information if needed • Make sure specific path is takenStructure-Aware Fuzzing Generation-based fuzzers usually target a single input type - string. All input is reading from running the test.Benefits of Integration • Fuzzing test case can use all those features • Fuzzing do not need additional assertion implementation • Writing fuzzing test case as well as unit test case so

Want to unleash the memory vulnerability beast? Put your test units on steroids, by spinning fuzzing jobs with ASan in Azure, leveraging the power of the Cloud from the comfort of your Visual Studio manager static analyzer dynamic analyzer (runtime) automated refactoring tools build system + fuzzing code reviews platform12 17 year old code base under active development 3.5 million lines of C++ coverage for the runtime analysis (all possible scenarios) the biggest impact when combined with fuzzing46 2020 Victor Ciura | @ciura_victor - 2020: The Year of Sanitizers? 0 false positives! Dynamic

SIDE ACTIVITIESDay in the Life: Vulnerability Research ● Looking at code 75% ● Instrumenting fuzzing harnesses 5% ● Making POC when needed 1% ● Tackling cross-org issues to combat a whole bug class system attempts to extend a metadata block. ● Could have been easily discovered with the help of fuzzing ● Driver had extensive use of try/catch blocks to catch exceptions. ● Access violation exceptions dependencies up to date • Use static code analysis tools built into your CICD pipeline • Use fuzzing in your CICD pipelineStrategies for Secure C++ DevelopmentExploit Mitigation Timeline 2003 SAFESEH

safetySpatial safety Temporal safetySpatial safety • BufferCheck (soon), SAL • ASAN, GWP-ASAN, HWASAN + Fuzzing • Bounds-checked data structures • Checked C, Deputy • -fbounds-safety, buffer hardening Temporal Temporal safetySpatial safety • BufferCheck (soon), SAL • ASAN, GWP-ASAN, HWASAN + Fuzzing • Bounds-checked data structures • Checked C, Deputy • -fbounds-safety, buffer hardening Temporal safety safety MSpatial safety • BufferCheck (soon), SAL • ASAN, GWP-ASAN, HWASAN + Fuzzing • Bounds-checked data structures • Checked C, Deputy • -fbounds-safety, buffer hardening Temporal safety p

of Sanitizers? Victor Ciura – Fuzzing/Testing venue Fri 9/18 12:00 – 13:00 Introducing Microsoft’s New Open Source Fuzzing Platform Justin Campbell, Michael Walker – Fuzzing/Testing venue Visit https://aka Development with Codespaces – Nick Uhlenhuth Friday 18th • Introducing Microsoft’s New Open Source Fuzzing Platform – Justin Campbell & Michael Walker

lines of amd64 assembly in crypto 10,474 lines of amd64 assembly in golang.org/x/crypto Fuzzing Fuzzing is an automated testing technique for hardening safety-critical software Typically used where parse(data) return 0 } Hit your target function with cleverly-constructed random data. Differential fuzzing: compare against a reference implementation. github.com/mmcloughlin/cryptofuzz func Fuzz(data

Announcing today Experimental libFuzzer Support • An in-process, coverage-guided, evolutionary fuzzing engine • Available in Visual Studio 2022 • Under /fsanitize=fuzzer Visit https://aka.ms/cpp/libfuzzer Analysis https://aka.ms/cpp/ca/bg ⚡ Dynamic Analysis • Address Sanitizer https://aka.ms/asan • Fuzzing with libFuzzer https://aka.ms/cpp/libfuzzer Visual Studio Agenda 1. Conformance 2. Code

Hard Tests Easy (Robotics Track) Xiaofan Sun (Thursday): Mix Assertion, Logging, Unit Testing and Fuzzing Pete Muldoon (Wednesday) Dependency Injection in C++ "Accelerated TDD" by Phil Nash just finished test library" (Lightning Talk) https://youtu.be/nnlEQwQlHQg Other Testing 2020: Barnabás Bágyi "Fuzzing Class Interfaces for Generating and Running Tests with libFuzzer" https://youtu.be/TtPXYPJ5_eE

Build this if you start getting messages like: # profiling: ..../cmake-build-debug/..../2019_11_18_fuzzing_gilded_rose.dir/GildedRoseApprovalTe sts.cc.gcda: # cannot merge previous GCDA file: corrupt arc

是国内最早 开展Rust程序分析相关研究的实验室（https://artisan-lab.github.io） • 我们关于Rust库模糊测试的论文 RULF: Rust Library Fuzzing via API Dependency Graph Traversal 获得了软件工程顶级会议ASE2021的ACM杰出论文奖 Rust China Conf 2021 – 2022, Online