Spread the word! @phrack.org CFP with demoscene cracktro is live. Turn up the volume and enjoy the awesome stylings of @PiotrBania with some hopefully inspiring text from phrack staff :) phrack.org

#FUZZING'26 CALL FOR PAPERS ────── ✨ After 5 years, we will be again co-located with NDSS! 🔗 fuzzing-workshop.github.io 📅 11. Dec (Submission) //cc @mboehme.bsky.social (MPI-SP), @ruijiemeng.bsky.social (CISPA), @rohan.padhye.org (CMU), László Szekeres (Google)

Must-read for fuzzing folks (read: tooling/algorithms/academia) by Addison Crump addisoncrump.info/research/wha...

Thanks to Viet Hoang Luu's effort AFL++ just got IJON support: github.com/AFLplusplus/...

drops.dagstuhl.de/storage/01oa... can we get this builtin in lldb please?

Our Big Sleep LLM Agent found critical vulns 📈📈📈 #BigSleep blog.google/technology/s...

cut my heap into pieces, this is my crash report: allocation, no alignment don't give a fuck if it faults on assignment this is fatal abort()

✈️ I'll be at @icseconf.bsky.social this week — find me if you'd like to chat about all things fuzzing / binary analysis!

I'm proud to announce that myself and @AtipriyaBajaj have created the Workshop on Software Understanding and Reverse Engineering (SURE), which will be co-located at CCS 2025. sure-workshop.org/ Please follow our workshop account @sureworkshop and RT it for visibility :).

Our paper "Top Score on the Wrong Exam" paper will be presented at #ISSTA25 🐣 in Trondheim! 📝https://mpi-softsec.github.io/papers/ISSTA25-topscore.pdf 🧑‍💻https://github.com/niklasrisse/TopScoreWrongExam // @nrisse.bsky.social @fuzzing.bsky.social

As it turns out, the C compiler orphan-crushing machine offers no benefit: web.ist.utl.pt/nuno.lopes/p...

There's still time to submit to FUZZING'25! This year, we're accepting both the (now classic) registered reports _and_ new short papers (fuzzing nuggets). Deadline is now March 26th! fuzzingworkshop.github.io

futures.cs.utah.edu/papers/25ICS... by @snagycs.bsky.social and @gabriel-sherman.bsky.social Seems like a very sensible approach to harness generation with some impressive results. I'm looking forward to seeing more discussion about this approach :) (sorry for blatantly copying the twitter thing).

Just earlier today I was talking to someone how we are missing out A LOT of power from dynamic language reflection/introspection capabilities in fuzzing, and then I saw this paper: nebelwelt.net/publications... - great timing & work @gannimo.bsky.social!

Leude geht wählen. Vote whatever Elon didn't endorse

Super cool to see people build ontop of Nyx: neodyme.io/en/blog/hype...

I’m very excited to announce that we at V8 Security have finally published our first version of Fuzzilli that understands Wasm! Go check it out at https://github.com/googleprojectzero/fuzzilli. While we still have a way to go in improving it, we think it shows a promising approach!

aischolar.0x434b.dev Pretty cool project by @434b.bsky.social: A neat web interface to explore security (and in particular: Fuzzing) papers with AI summaries. Seems super useful to get/stay up to date with recent papers :)

I got Linux running in a PDF file using a RISC-V emulator. PDFs support Javascript, so Emscripten is used to compile the TinyEMU emulator to asm.js, which runs in the PDF. It boots in about 30 seconds and emulates a riscv32 buildroot system. linux.doompdf.dev/linux.pdf github.com/ading2210/li...

I have long argued that fuzzers are better at tracking taint than taint tracking. @andreaszeller.bsky.social et Al. build a info leak fuzzer (w/o taint tracking): dl.acm.org/doi/pdf/10.1.... It finds 10 old CVEs (ASAN: 1). Cool to see a PoC! Would probably work better with snapshot fuzzing tho ;)

pacibsp.github.io/2024/invaria... Another great blogpost displaying the "The compiler is an evil djinn, secretly trying to corrupt your wishes with the moral compass of tobacco industry lawyers"-model of C semantics.

Re-sharing to keep bluesky rolling go.bsky.app/EhGFSVj

🔥 No fuzz drivers needed. Our paper on injecting greybox fuzzers into running systems at user-defined amplifier points (in-vivo fuzzing) was accepted at #ICSE25! 📝 mboehme.github.io/paper/ICSE25... 🧑‍💻 github.com/OctavioGalla... (subject to AE) //Lead by Octavio Galland (former #MPI_SP intern).

mboehme.github.io/paper/ICSE25... Really like this paper. Instead of writing a libfuzzer harness, use the state&arguments from test/E2E fuzzing and note what args can be fuzzed. Interesting follow ups: How to validate a crash in E2E setting & inferring amplification points & constraints dynamically.

Don't really know the purpose of starter packs yet, but here's some people who fuzz(ed). Let me know who I forgot go.bsky.app/EhGFSVj

Company: We have a monolith! Me: ... Company: *holds up diagram of 8 services, 15 databases, and a home grown queue implementation* Me: You fucked up a perfectly good distributed system is what you did. Look at that thing, it's got clock skew.

Have you ever done a dense grid search over neural network hyperparameters? Like a *really dense* grid search? It looks like this (!!). Blueish colors correspond to hyperparameters for which training converges, redish to those for which training diverges. Even better, a video: vimeo.com/903855670

Paged Out! Issue #5 is out now! pagedout.institute?page=issues.... Happy reading!