fsebugoutzone.org:9999

       Post B5PzIvnShXFZPTWysC by david_chisnall@infosec.exchange
 (DIR) More posts by david_chisnall@infosec.exchange
 (DIR) Post #B5PzIvnShXFZPTWysC by david_chisnall@infosec.exchange
       2026-04-18T08:19:14Z
       
       1 likes, 0 repeats
       
       The thing I wish someone would build, which I suspect would find bugs a lot more cheaply than Claude Mythos:Integrate a static analyser with a fuzzer.Static analysers will find paths and variable values that, if they occur, reach unhappy states in the program. But they can’t tell you that it is possible for the preconditions to occur.Fuzzers can explore the state space of code rapidly by throwing random values at it and then refining the input to try to explore specific places in the state space.I would love to see someone wire up clang’s analyser with libFuzzer, for example, so that you can throw the analyser at a big project and have it spit out the hooks for guided fuzzing, then try to generate the inputs that will trigger the possible bug. Bonus points if it then tries to minimise the test case (some existing fuzzers do this).This would then give you a fully automated way of triaging static analysis reports, by providing something you can use as a test case for the ones that are easy to trigger.
       
 (DIR) Post #B5RSiu055vOTCE862C by letoram@infosec.exchange
       2026-04-18T09:05:50Z
       
       1 likes, 0 repeats
       
       @david_chisnall A thing I worked on for a bit a few years ago that produced tasty bugs even in its early inception was integrating a fuzzer into the debug part of an IDE (as well as an IDA Pro plugin).It turned a breakpoint into a fuzzpoint.The breakpoint part served as starting state and &quot;harness&quot;. The fuzz-part added constraints (fuzzing raw pointers is kind+of pointless) and a type model was generated from local state to feed the fuzzer.The starting state got snapshotted and distributed across a cluster. Each runner had a set strategy for how to explore the model; mutation, execution (e.g. step back to previous branch, solver to pick values that would reach the other path) and watch conditions (usual memory corruption, specific variables changing, ...). Triggers got fingerprinted and checked against a shared database. New discoveries  forwarded a locally attached debugger to a pending queue for human inspection.As the story so often goes, the company got acquired, IP buried and left to rot.