| You might not be as far from the cutting edge as you'd expect. From what I've seen, fuzzing is divided into two major camps (I'm generalizing to the extreme here): 1. Mutational - These include tools like AFL, are gaining traction in the open source community, and have a lot of applications, perhaps most notably in library and application fuzzing. 2. Generational - These include commercial tools Defensics and PeachFuzzer, and open source tools like Peach, Spike, and Sulley. The state of the art is held by commercial offerings in this camp, and it's what businesses are more likely to be interested in. My hypothesis as to the reason for this split: Open source hackers are interested in finding bugs. Businesses are interested in assurance that their software is safe ("safe"). Protocol-specific tools give the impression that we've done the best we can at securing IP/TCP/TLS/HTTP/etc. Defensics is by far the dominant offering (in terms of apparent popularity), and Peach is the only active competitor I've ever found. The open source generational branch is moving very slowly. The primetime candidate was once Peach, now called Peach Community [1]. Unfortunately the corporate backer switched to a closed solution, and left the open source tool out to dry. The latest tool of note besides Peach is Sulley [2] [3]. Books: I haven't found any books that go below the surface. "Fuzzing: Brute Force Vulnerability Discovery" has decent reviews on Amazon, but I found it more breadth than depth. Papers: 1. IMO the seminal paper on fuzzing is Rauli Kaksonen's thesis, "A Functional Method for Assessing Protocol Implementation Security." [6] This will take you almost to the state of the practice. Kaksonen was a co-founder of Codenomicon. Very interesting read. Talks: If you want cutting edge research, conference talks and blog posts may be as good as papers. 1. 2007 Blackhat conference Sulley talk "Fuzzing Sucks! - Introducing Sulley Fuzzing Framework" [2] 2. Google Charlie Miller fuzzing. My favorite slide decks are [7] and [8]. High fives (and a beverage on me should time and space ever permit) to anyone who can find audio or video from the actual talks. Shameless plug(s): 1. Due to lack of response on Sulley pull requests, I forked to a new project called boofuzz [4], and I commit to at least address pull requests more quickly. 2. I'll be giving a fuzzing talk at Defcon 24's Packet Hacking Village which will address, among other things, the state of open source fuzzing [5]. [1]: http://www.peachfuzzer.com/resources/peachcommunity/ [2]: http://www.podcast.tv/video-episodes/pedram-amini-aaron-port... [3]: https://github.com/OpenRCE/sulley [4]: https://github.com/jtpereyda/boofuzz [5]: https://www.wallofsheep.com/pages/dc24 [6]: http://www.vtt.fi/inf/pdf/publications/2001/P448.pdf [7]: https://cansecwest.com/csw08/csw08-miller.pdf [8]: http://pages.cs.wisc.edu/~rist/642-fall-2012/toorcon.pdf |