I've just written a performant in-memory fuzzing module with Frida for AFL++ github.com/andreafioraldi…. Watch AFL++ on GH and stay tuned for a frida_mode in the next days!

Woot woot, my DEFCON talk is available on youtube now: check it out here: youtube.com/watch?v=4BkAxM…

Just released Manul v 0.4, a lot of performance improvements and bug fixes. New features: - InApp coverage-guided blackbox fuzzing on both Windows (winAFL-like) and Linux. On Linux, it is the only tool that supports this type of fuzzing now :) - Added AFL forkserver (x10 speedup)

Just a reminder that I’ll be giving a keynote at FuzzCon RSA on Tuesday morning in SF. I’ll talk about history, modern adoption, and future challenges. There are about 120 attendees registered so it should be a great size for networking. Ping me for a free registration code.

This is so cool!

After a decade of fuzzing, we just launched FuzzBench, a fuzzer benchmarking platform to bridge the gap between academic fuzzing research and industry fuzzing engines (e.g libFuzzer, AFL, Honggfuzz). github.com/google/fuzzben…

I have something fun for you, I pulled the javascript interpreter out of Avast and ported it to Linux 😆 This runs unsandboxed as SYSTEM, any vulns are wormable pre-auth RCE on 400M endpoints  ¯\_(ツ)_/¯ github.com/taviso/avscript 🐧

My article "Leveraging Coverage-Guided Fuzzing to Find Exploitable Bugs" was published by Pentest Mag pentestmag.com/product/pentes…

Let's talk about brute-forcing ASLR on modern Windows. Check my blog post on Medium medium.com/@mxmssh/defeat…

I'm still hiring! Looking for an engineering manager in Sunnyvale, CA, USA. Details: careers.google.com/jobs/results/8… (And happy new year everyone!)

Excited to have found my first CVE (CVE-2022-23302) researching Log4j 1.x with Maksim Shudrak cve.mitre.org/cgi-bin/cvenam…

Today we take you behind the scenes like never before, learn about the work Google's security experts do behind closed doors to keep billions safe every day. The HACKING GOOGLE docuseries is streaming NOW on YouTube → g.co/safety/Hacking…

Need to evaluate impact of leaked GCP credentials or VM compromise? We implemented a GCP Scanner to help with that! I am very excited to present GCP Scanner (github.com/google/gcp_sca…) w/ Jacob Butler at BlackHat Arsenal USA this year on August 10. blackhat.com/us-23/arsenal/…

Buttercup won the $3M second prize at DARPA's AIxCC. We found 28 vulnerabilities across 20 CWEs with 90% accuracy at just $181/point, achieving this with exclusively non-reasoning LLMs.