The fuzzy tale of an x/crypto vulnerability

The fuzzy tale of an x/crypto vulnerability

On March 20, 2019, the Go team released a patch for a security vulnerability in x/crypto/salsa20. This talk will regale you with the full story from discovery by differential fuzzing, via low-level assembly root cause analysis to the contentious disclosure process.

Along the way we’ll explore testing practices for security-critical software, in particular the use of go-fuzz to check compatibility with reference implementations. Ultimately we’ll see how even the most subtle of mistakes in assembly code can have catastrophic implications.

8a33421d2bcd8a9924c8a516619c2731?s=128

Michael McLoughlin

July 27, 2019
Tweet