Fuzzing for C++ Developers [2021 class archive]

Fuzzing for C++ Developers is a one-day training course with programming examples taught by David Brumley and Thanassis Avgerinos. It is offered onsite at the Gaylord Rockies from 09:00 to 17:00 on Saturday, October 30th, 2021 (immediately following to the conference). Lunch is included.

Course Description

Ever wanted to automate writing security and functional tests? Fuzzing can help! Fuzzing helps you find crashes, hangs, and security errors. It can also grow your functional test coverage automatically. Indeed, the 2021 CPP developer survey reports 37% of developers are now using fuzzing.

In this class, we’ll provide you with hands-on instruction and labs for getting started with fuzzing. Briefly, the course will cover:

  1. An overview of basic types of program analysis, and where fuzzing fits in.
  2. Open source fuzzing using AFL and libfuzzer.
  3. A pragmatic approach to writing fuzz test harnesses.
  4. How to automate fuzzing within your pipeline.
  5. On-site labs where you get to reproduce famous bugs and vulnerabilities (that have previously been responsibly disclosed and fixed), including heartbleed and the DNS bug on Tesla cars.


Attendees must be able to write C/C++. Advanced programming is not required. Attendees must have their own computer, be able to run Docker (labs will be dockerized), and be able to use the Linux CLI.

Course Topics

  1. Overview of the big four in program analysis: static analysis, SCA, DAST/IAST, and fuzzing. This provides a conceptual framework to understand where fuzzing fits in.
  2. Introduction to AFL and libfuzzer
  3. First lab using AFL and libfuzzer.
  4. Second lab: reproducing heartbleed (quick and fun!)
  5. Introduction to harnessing apps
  6. Third lab: harnessing tinyxml2 to find flaws.
  7. Automate fuzzing within your pipeline.
  8. Fourth lab: harnessing the tesla hack.
  9. Conclusion

Register Here

Course Instructors


David Brumley is a professor in ECE and CS at Carnegie Mellon University and CEO of ForAllSecure. He specializes in software security. David received his Ph.D. in Computer Science from Carnegie Mellon University, an M.S. in Computer Science from Stanford University, and a B.A. in Mathematics from the University of Northern Colorado. He served as a computer security officer for Stanford University from 1998-2002 and handled thousands of computer security incidents in that capacity. He is the faculty mentor for the Carnegie Mellon Hacking Team Plaid Parliament of Pwning (PPP), which is ranked internationally as one of the top teams in the world. Brumley’s honors include an NSF CAREER award, member of the DARPA ISAT advisory board, the United States United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama (the highest award in the US for early career scientists), and a 2013 Sloan Foundation Award. His company ForAllSecure won the DARPA Cyber Grand Challenge. In his free time…who are we kidding. He has no free time.
The co-instructor is Dr. Thanassis Avgerinos, PhD from CMU.