[Keynote] Reasons for the Unreasonable Success of Fuzzing

The hacker culture of my youth (90s) was a very typical male-centric teenage subculture, with norms and value systems that were at odds with broader society. In my particular corner of the culture, the term ‘fuzz-tester’ was used as a derogatory put-down for people that were unable to find bugs by reading code. I wrote my first fuzzer around the age of 19, not to use it myself, but as part of a paid gig where someone else needed one. I couldn’t bring myself to use it; my pride in my ability to audit code wouldn’t let me go there. The fuzzer turned out to be annoyingly effective. And over the course of my 20s, I saw more and more people find surprisingly important and relevant bugs through fuzzing. Being humbled by looking down on fuzzing for years, only to realize that I would’ve been much more effective if I had fuzzed harder and earlier, was one of the more important experiences in becoming “a reasonable adult”. This keynote will discuss some of the reasons why fuzzing is so effective, why fuzzing is always an automatic winner of the hardware lottery, some historical bugs that were fuzzed (from OpenSSH to Cisco IPSec) and why brute-force exploration is an important component of all AI (even if it might not be a component of biological intelligence).