Fuzzing techniques have proved to be very effective for discovering vulnerabilities in web browsers.
Over time several valuable fuzzing approaches and frameworks have been developed and some of them have became a “de-facto” standard, being widely adopted by the security research community.
With the introduction of bounty programs by browser vendors and the growth of 0-days marketplaces, a much wider audience have been lately involved into vulnerabilities research. Moreover all major browser vendors have deployed a fuzzing infrastructures running 24/7 on their private cloud made up of thousands CPUs. So the only chance for indipendent researchers to stand against this majestic bug-killing armada is to embrace smart fuzzing and take aim at specific browser APIs/behaviours.
In this talk I will give an overview of common memory corruption bugs, current browser fuzzing techniques and limitations: finally I will introduce a novel fuzzing algorithm targeting some specific browsers aspects, explain the rationales behind them and discuss a bunch of exploitable memory corruption bugs uncovered using this approach.