A while back I was chatting with someone at INFILTRATE, over fried alligator and more alcohol than I probably should have imbibed, and he said, "We're going to make fuzzing obsolete, because we have more CPUs on the problem than anyone can reasonably duplicate, and we're going to exhaust the space".
And it's PLAUSIBLE in a way. I've watched a few of the live streams that Brandon Falk does, and you can see how like, for a certain subset of problems throwing more CPU and Power than Zeus at the fuzz problem might actually drain the oceans we all swim in.
But lots of plausible stuff is still dead wrong. I spun up a private fuzzer a few weeks ago with some random test harness and popped a bug[1] in a popular browser almost by mistake. Now I'm spending hours and hours pouring over C code trying to find the root cause so I can control it, which since I am so out of practice is not unlike a coal locomotive trying to drive down one of the new Boring Company tunnels, coughing black oily smoke all over those shiny white Teslas. How do you install Ctags again?
If you're bored, this Sunday, or any Sunday, you can watch this talk on CONOPS I put together, after spending too much time reading bad cyber policy papers: https://youtu.be/6l28f_x54gM . It might be related, it might not. The world is unknowable, like the results of a fuzzer.
Some part of all of this is a lesson that when it comes to bug finding, it's not only ok to be different - to be from a different era, or to think in a different way - it's almost required. Team BigCorp can spin up all the VMs in the world, and if they don't love the same bugclasses you do, they will have optimized away from finding the bugs you find.
Also, I want everyone to help publicize this so we can change the world for the better, even if just a bit. Send it to your friends! Think of cool things to do with it! https://twitter.com/NSPFoundation/status/1379849502199144449?s=20
-dave [1] a3ca63d4929c08a18c4418e039557e6d lol, I had trouble getting this hash but in the process found out it hits the default Windows 10 Home (not Pro, because Dwizzle hasn't sent me that yet) as well.