im Adrian this and Zaiff is my colleague and this is mostly his work I'm just a lucky guy or unlucky guy three and a half thousand lines.

>> What is -- seeing as you all in the room like to assume you no what fuzzing is if you are expecting a talk about animals along those lines sorry wrong time.  Fuzzing is applying input or manipulating input and application and seeing if you can change application.  We can simply say slow shit and seeing what sticks.  His tour of fuzzing -- we have to go back to 1999 the golden years of Miami Vice awesome suits rocking dance moves, syntax fuzzing or using it for applications.  Fuzzing is continued since then seen big names, and another applying it across multiple application multiple protocols and platform.  One thing that has stayed constant through the years is the fuzzing methodology consisting of five steps step one identify your target.  Is it a browser, is it network stack or anything like that.  Once you've identified your  target you need top identify inputs to this tar G this can be done in multiple ways.  Either by using application and identifying inputs or reviewing documentation for the application or for you're target.  Or by reversing -- the application or finding hidden inputs that weren't identified before.  Once you identified you need to test -- can fall into two categories either dumb fuzzing or smart.  This can be simply inserting a thousand -- and seeing if application crashes.  When you are doing it you apply data to your inputs without any prior knowledge of what application expecting or what the data should look like.  Smart fuzzing you use knowledge about the input -- this is usually take and valid test data and mutating in it different ways.  Once you generated test data you need to start fuzzing this is simple you feed date to to target application and see what happens.  To do this application and in our case he monitor the application for memory errors.  So there are.

>> So there are some tools that help us with the process and memory error detector.  What they do they basically run the application, feed the test application and monitor application for crashes.  For windows we have -- for Linux and -- OSPG memory error dee particular force what they do early detect errors in memory buy hooking and the -- memory applications around -- memory any acusis to these application will result in crash to the application.  Also for windows we have, which is part of the windows tool kit.  Mic Ox -- the real reason you are here -- what is -- all apart from the obvious meaning in -- may contain high -- is a grammar based browser fuzzer what this means is that we apply, we use other fine grammar to generate our test cases and feed these into any browser that uses the same grammar to construct its pausing methods.  This approach has been very successful and has resulted in numerous crashes high security crashes in brow SERS.  The reason we created it we wanted to be able to identify bugs in existing and new web -- the process for this has usually been hard, a manual process you normally focus on one BROWSER by looking at grammar are using grammar to test cases we are able to quickly and easily generate new test cases as new apps are brought up and implemented in brow SERS by using the spek fiction the same technology that you're browser or creators are using.  This allows us to test cases that are standard across browser and you can use its same test cases for CR -- many chrome fire fox and hopefully you get browser crashes.  So -- all the way through three, four, CSS, CSS three as well and at the moment the web Anna mason API.  But there are no limitation to which API  -- simply need to feed it the correct information and it will generate correct test cases and it will be able to fuzz for you.  We all know what it means crashes that mean money.  So no one made it rain for us yet but we have made some money more specifically -- yeah.  The document object model provides us standard objects to describe XML documents also provides interfaces for interacting on these objects and manipulating them.  Web API and web API's give us Java script interfaces with the object model.  These web API can also consist of speech, web audio, Anna mason latest one is web -- and API are being pushed out constantly and hopefully being pushed out in all BROWSERS.  What is grammar.  Grammar is something we use on everyday basis if you apply braces two languages such as English -- your grammar defines how a sentence should be instructed when do you use a verb or none.  In computer signs are used to construct compilers and used for a compilers to pause program mink language and verify syntax particular testimony correct and how to generate .  On the other hand uses a grammar to -- much the same way as a compile her would and generates our test cases for browser.  If you want to put grammar into one sentence specifically, knowing the differences, your shift and you are shit -- you're shit and you are shit.  Grammar when applied to -- WL -- W three can he they key -- this defines how browsers should implement new web API and document model this could be described with -- so those of you who have done computer signs no what an LO one grammar is and how this relates to specifications.  Simply put it allows pausing of the -- and web API and standardized manner that allows browser manufactures to all apply the same standard to the browser technology unless Microsoft you kind of follow your own spek fictions.  Interface an interface -- defines a structure that can contain at contributes and function that interact with the document object model.  This is the, here we see a grammar that defines this enter face object and we can see that we have a token called interactive face which we followed by an enter fire possible in tear tans and in all the interface members or objects belonging to this interface.  If we create a simple and a simplified interface for the next object we can see that we've got our identifier -- and our inheritance -- we can also see in this case we've got four interface members.  These interface members can be described individually as well and if we look at the grammar for this we can see that we can have an interface member can be ACON tan, which we are not interested in this case, what we are interested in are the fact that it can be attributes or options an attribute and option can either be values that describe the interface or the functions that interactive act with that interface.

>> So if we just look at the at contribute definition for -- at contributes we can see that we've got possible inheritance read only flag that can be said the type and identifier in this case one read only at contribute and one read right at contribute and one -- and other same principal can be applied to all functions and we can see that functions can have a return type an identifier and possible inputs.  And these inputs can, by themselves have different input types and values.

>> When mapping IDL into grammar to grade our test cases we map Java script object what we've done created an object for at contribute an at contribute can have three members.  The the functions that allows us to generate data for that at contribute type and whether the read only flag is set.  When you look at our functions the same principal has been applied, we can create an array tank two members one with an identifier for that function or mend.  And a second array tank functions that generate our test inputs to those functions.  Here's the full Java script object we created from our initial test from initial text interface.  We can see that we've set the name, there's a text we've got at contribute have been defined and we can generate expected value for those at at this time and the same thing for mend we can create expected inputs.  We -- with character data interface and the associated at contribute and methods this is due to in her tense.

>> So we have functions that help us through the project most of it is used during generation offer input date to either through the at contribute which is governed by input or -- more significant of these are the functions you've see in front of you one number in at a grail -- supplied most importantly, we have three function that we like to focus on the RA array and array work which basically works through -- if it's a string it will are will just return a string if it's a function -- return value.  Last function return of the element which will refers element through the fuzzer and will either it will reference element directly or reference element first try, element last try element -- or war it may be.  The -- it creates test cases as first element created -- interface string -- preparation test case.  Test case is every whereas you can see.  First works on two space allow us to -- in the fuzzer BROWSER -- from the test case.  The next thing go is element creation.  You can zero that has three main functions for element creation that create -- the create element will basically choose random interactive face, create an element for it and save two references one to the browser space element create random lens text notes  -- to the elements mingle the -- next we have -- basically fuzz with a certain number.  This number will be used to exact number of -- that this will execute, what this first function does is randomly call one of the functions we have in the fuzzer range from window document or element interfaces or -- or using normal -- we have functions that dynamically create -- dynamically -- create function and work through them and as well as player at contributes or garbage collection depending on what it is.  Last thing is how we prepare the string.  First, we have a function that will generate random function names to be used as call backs for events that will create this simple function depend tongue on number of statements -- that will contain this.  Next Java script statement related to element creation be that main element itself or the observers or normally created -- after that just -- create statement at the end land randomly in Java statement that are used to -- in these object.  This is the sample object from -- this will be between -- this is dynamically created none of this is .  We were wanted to prepare for -- a little bit boring decided to do give you a little bit of sneak speak work on testing the fuzzer on.  As you can see it is running.  We connected the fuzzing server.  As you see it doesn't take long for spar tan to crash.  This as simple -- the reference but going in the right direction.  Next we talk about our findings.  Basically you are able to find four bugs, two duplicates and two or confirmed.  The ones that are confirmed one of them is 2015 one two four three this was a -- this is the POC for it.  Three thousand for hit.  The second one as you can see is very simple, but assertion -- the second one fourth one last one also duplicate unfortunately I hit because I found 24 hours after -- so so its fine.  Basically thank you the code will be up, hope you enjoyed our talk.  These are the reference if you need to look at them that we used doing our research.

>>  [Applause].

>> If anyone has questions we would be happy to take them.

>> There as tool we have created which basically takes -- and I will generate that Java script dynamically explaining how this whole process has been done.  Anyone else want to ask anything?

>> Question asked.

>>  So because we are generate ting Java statement we are going to be -- already created document there diagnosis an implementation thankfully made that can be used to basically apply to an actual document and feed it to the browser, if we are fuzzing engine script itself I would .  Yep.

>> Question asked.

>> Sorry?

>> Question reasked.

>> Well we haven't tried yet we have some ideas that we have tested but not fully implemented that worked against something like Ruby for example -- R U BY for example.  Any way, guys we are going to be around if you want to ask us anything.  Hope you enjoyed it.  Have a great day.