GitHub - google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.

From The Core Issue: a look at how Bitcoin Core handles security vulnerability disclosures, testing for bugs, and patching them.

In software security, root cause analysis (RCA) is the process used to “remove the mystery” from irregular software execution and measure the security impact...

Learn how and why the Chrome team has replaced FreeType with Skrifa.

simple PNG library

Using libfuzzer to fuzz an interface by modeling the problem as a virtual machine interpreter.

ArduinoJson is a JSON library for Arduino, IoT, and any embedded C++ project. It supports JSON serialization, JSON deserialization, MessagePack, streams, and fixed memory allocation. It has a simple API, it’s easy to use, and it’s trusted by thousands of developpers all over the world.

I'm the president of VideoLAN, one of the lead developers of VLC and a maintainer of open source multimedia projects. I created several startups, was the CTO of scale-ups, and advised startups and VCs.

Zac Hatfield-Dodds opened his presentation with a paraphrase of the economist Thomas Schelling: No matter how rigorous her analysis or ...

Documentation for FuzzBench

A fast image processing library with low memory needs.

Justin Cormack blog

Documentation for OSS-Fuzz

If you're looking for an isolated and straightforward way to start contributing to KDE, you're in the right place. At KDE, we use fuzzing vi...

Times have changed, and hosting is just one part of an evolved threat model.

A few things making me happy: Stardew Valley, cool design, inspiring podcasts, D and D tips, Mega Man news, and more interesting links.

After a long hiatus, I'm back to blogging. I'm preparing a comparison of different LLMs on different puzzles. I'm testing LLMs from OpenAI, Google, and so on. In this post, I just lay out the rules of the competition and introduce the scaffolding that I used.

Okay, if you’re reading this, you probably know what fuzzing is. As an incredibly reductive summary: fuzzing is an automated, random testing process which tries to explore the state space (e.g., different interpretations of the input or behaviour) of a program under test (PUT; sometimes also SUT, DUT, etc.). Fuzzing is often celebrated as one of the most effective ways to find bugs in programs due to its inherently random nature, which defies human expectation or bias1. The strategy has found countless security-critical bugs (think tens or hundreds of thousands) over its 30-odd-years of existence, and yet faces regular suspicion from industry and academia alike. Mostly. Fuzzers can be overfit to certain applications, intentionally or not. ↩

Documentation for ClusterFuzz

Cryptofuzz Cryptofuzz is a project that fuzzes cryptographic libraries and compares their output in order to find implementation discrepancies. It’s quite effective and has already found a lo…

GDAL has now been put under the continuous scrutinity of OSS-Fuzz for more than 4 years. To keep it simple, OSS-Fuzz is a continuous runn...

So, Mongoose. If you’ve never heard of it, you’ve almost certainly used a device that runs it. It’s a single-file, cross-platform embedded network library writ…

Fuzz testing killing C

La Maison-Blanche demande un audit sur la sécurité des logiciels open source. Partie 2/3 : audit automatique des projets.

c-ares is a modern DNS (stub) resolver library, written in C. It provides interfaces for asynchronous queries while trying to abstract the intricacies of the underlying DNS protocol. It was originally intended for applications which need to perform DNS queries without blocking, or need to perform multiple DNS queries in parallel.

Homepage for Addison Crump

While talking about thinking about tests and testing in software engineering recently, I’ve come to the conclusion that there are (at least) two major ideas and goals that people have when they test or talk about testing. This post aims to outline what I see as these two schools, and explore some reasons engineers coming from these different perspectives can risk talking past each other. Two reasons to test Testing for correctness The first school of testing comprises those who see testing as a tool for validating a software artifact against some externally-defined standard of correctness.

A fast image processing library with low memory needs.

A revolutionary coverage-driven fuzzer credited with finding countless vulnerabilities in open-source code.

c-ares is a modern DNS (stub) resolver library, written in C. It provides interfaces for asynchronous queries while trying to abstract the intricacies of the underlying DNS protocol. It was originally intended for applications which need to perform DNS queries without blocking, or need to perform multiple DNS queries in parallel.

Writing memory-safe code beats patching your way to safety

Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts. As supply chain attac…

tl;dr: The more AI advances, the more you may be subject to supply-chain attacks, remote exploits, and phishing. You should be suspicious of amateuri…