The hacker culture of my youth (90s) was a very typical male-centric teenage subculture, with norms and value systems that were at odds with broader society. In my particular corner of the culture, the term ‘fuzz-tester’ was used as a derogatory put-down for people that were unable to find bugs by reading code. I wrote my first fuzzer around the age of 19, not to use it myself, but as part of a paid gig where someone else needed one. I couldn’t bring myself to use it; my pride in my ability to audit code wouldn’t let me go there. The fuzzer turned out to be annoyingly effective. And over the course of my 20s, I saw more and more people find surprisingly important and relevant bugs through fuzzing. Being humbled by looking down on fuzzing for years, only to realize that I would’ve been much more effective if I had fuzzed harder and earlier, was one of the more important experiences in becoming “a reasonable adult”. This keynote will discuss some of the reasons why fuzzing is so effective, why fuzzing is always an automatic winner of the hardware lottery, some historical bugs that were fuzzed (from OpenSSH to Cisco IPSec) and why brute-force exploration is an important component of all AI (even if it might not be a component of biological intelligence).

Bio: Thomas Dullien started computer security before it was a respectable field. He worked in that field and published research around vulnerability research, reverse engineering, program analysis, and malware analysis for a good 20 years, using the pseudonym “Halvar Flake”. He started and bootstrapped a reverse engineering company that was acquired by Google, built an industry-standard tool for patch analysis, contributed a number of innovations to reverse engineering, and wrote a paper about the theoretical foundation of exploitation; he then embarked on a bit of a second career focusing on computational efficiency and profiling (where he started another company, this time acquired by Elastic).