11:30 – 11:45 Lunch and good of the order

11:45 – 12:00 OWASP News and notes

12:00 Featured presentation: Craig Stuntz

We already have great fuzzers like afl, so why build another? I couldn’t find a good fuzzer for .NET applications on Windows, so I built my own. Fizil is a work in progress, but it has some interesting tricks up its sleeve. Fizil can instrument .NET binaries without needing source code. It automatically disables crash reporting, and is designed to verify non-memory-corruption properties. I’ve learned a lot while building it, and I have interesting stories to share with you! We’re going to examine in detail what fuzzers do, how afl implements these techniques, and specific challenges encountered in porting them to an “unusual” environment like Windows. Along the way we’ll solve problems related to reversing .NET binaries, strong naming, Unicode, and memory mapped file performance.

Craig Stuntz is a software engineer and a lifelong student of computer science, with specific interests in programming languages, type theory, compilers, and math. He is Technical Director for Improving in Columbus, Ohio, and cofounded the Columbus branch of Papers We Love, a reading group for people interested in academic computer science research. In the past year he has presented talks at CodeMash, Dog Food Conference, Stir Trek, and many user groups.

When not at work or playing with his kids, he is usually studying math or playing Irish traditional music on the tin whistle and wooden flute.