3:30 This effort and its results show that fuzzing is a very universal technique, and most of its components can be easily reused from one target to another, especially within the scope of a single file format. -Mateusz Jurczyk https://googleprojectzero.blogspot.com/2017/04/notes-on-windows-uniscribe-fuzzing.html
3:30 Testing is a very wonderful thing, because people [who] try to prove that their software is correct actually spend almost all of their time discovering that it isn’t. It’s only the very last iteration of attempting to prove it’s correct that succeeds! -Benjamin C. Pierce http://omegataupodcast.net/243-formal-specification-and-proof/
3:30 We didn't call it fuzzing back in the 1950s, but it was our standard practice to test programs by inputting decks of punch cards taken from the trash. -Gerald M. Weinberg http://secretsofconsulting.blogspot.com/2017/02/fuzz-testing-and-fuzz-history.html
3:30 Intuitively, a mutation strategy is most powerful when the resulting files are successfully processed by the tested software 50% of times, and likewise fail to parse the other 50% of times. This indicates that the test cases are on the verge of being valid, and shows that the configuration is neither too aggressive, nor too loose. -Mateusz Jurczyk https://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html
3:30 Yet, despite the crippling and obvious limitations of fuzzing and the virtues of symbolic execution, there is one jarring discord: I'm fairly certain that probably around 70% of all remote code execution vulnerabilities disclosed in the past few years trace back to fairly “dumb” fuzzing tools, with the pattern showing little change over time. -Michał Zalewski https://lcamtuf.blogspot.com/2015/02/symbolic-execution-in-vuln-research.html
3:30 In the process of writing our early fuzz papers, we came across strong resistance from the testing and software engineering community. The lack of a formal model and methodology and undisciplined approach to testing often offended experienced practitioners in the field…. My response has always been simple: “We're just trying to find bugs”. -Barton Miller http://pages.cs.wisc.edu/~bart/fuzz/Foreword1.html
craigstuntz
manfredsteyer
seike460
suu_mire0726
bkuhlmann
1wedge_one
mackey0225
fsubal
luisasofie_xoxo
philipschwarz
inouehi
holman
jrom
reverentgeek
dougneiner
tammyeverts
62gerente
tanoku
shlominoach
bkeepers
philhawksworth
akmur
tammielis
