Excited to share that I'll be presenting our work (arvindsraj.com/publication/20…) about finding future vulnerabilities using fuzzing at CCS this week. 🧵 1/6
2
14
48
7K
10
Download Image
Crashes block fuzzers from finding vulnerabilities in code that lies beyond the crash until the underlying vulnerability is fixed. We call this phenomenon vulnerability occlusion - vulnerabilities block discovery of later vulnerabilities. 2/6
Vulnerability occlusion is quite common: OSS-Fuzz reports several such "Fuzz-Blocker" crashes (issues.oss-fuzz.com/hotlists/62199…). While patching can unblock fuzzers, it is a manual and time consuming process. 3/6