[seanmcdirmid]

When I was an undergrad in 1997, I created a fuzzer (well, we didn't know to call it that back then) to insert one byte changes into Java classfiles, and then used that to test our bytecode verifier along with Sun and Microsoft's.

Suffice it to say, we found lots of bugs, the most famous one being what my grad advisor called the vacuum bug that could read a web client's environment variables (among other things): https://archive.nytimes.com/www.nytimes.com/library/cyber/un...

[hobls]

Very cool! I think fuzzers are SO interesting. One of my favorite examples is lcamtuf’s post on generating valid JPGs from nothing [1]. Just so awesome.

1: https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-th...

[kodablah]

Tangentially related, speaking of Java, I wrote a path guided one recently for code running on the JVM: https://github.com/cretz/javan-warty-pig. It's found bugs for me on internal things, but I haven't run it on anything popular to build a trophy case.

[matthewwarren]

Nice! Not many people can say that their university project made it into the New York Times!