Sanitize, Fuzz, and Harden Your C++ Code

Wednesday, January 27, 2016 - 11:30am12:00pm

Kostya Serebryany, Software Engineer, Google


The Sanitizers (AddressSanitizer and friends) is a family of dynamic testing tools for C and C++ based on compile-time instrumentation. They find bugs like use-after-free, buffer overflows, data races, uses of uninitialized memory, integer overflows, and many other kinds of bugs both in the user space and in the kernel. These tools are only as good as your test coverage, and so we’ll also discuss libFuzzer, a library for in-process contol- and data-flow guided fuzzing. Finally, even if these tools miss some of the bugs there is one more line of defense: security hardening of production binaries using compiler instrumentation. Control Flow Integrity will halt the program if a VPTR or an indirect function pointer looks corrupt, and Safe Stack will protect the return address from stack buffer overflow.

Kostya Serebryany, Software Engineer, Google

Konstantin (Kostya) Serebryany is a Software Engineer at Google. His team develops and deploys dynamic testing tools, such as AddressSanitizer and ThreadSanitizer. Prior to joining Google in 2007, Konstantin spent four years at Elbrus/MCST working for Sun compiler lab and then three years at Intel Compiler Lab. Konstantin holds a Ph.D. from and a Masters from

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {206275,
author = {Kostya Serebryany},
title = {Sanitize, Fuzz, and Harden Your C++ Code},
year = {2016},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = jan

Presentation Video