Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

MUMPS is a programming language and database used in the banking and medical sector. This programming language/environment pre-dates ANSI C, making it have interesting quirks. Zach (an amazing co-worker of mine) did some amazing fuzzing research into two different implementations of MUMPS: finding 30 CVEs in total .

Zach setup a fuzzer for the YottaDB implementation of MUMPS. This was done by sending manipulated code, which was generated from the fuzzer. Using dynamic instrumentation to track paths that had already been hit, the fuzzer was able to go down some dark rabbit holes to eventually find some bugs.

To make the fuzzer actually work, Zach had to remove the signal handling, the input type and many other things. Zach eventually setup AddressSanitizer to find some of the non-crashing bugs as well.

This will likely become a DEFCON talk as well. I'm excited to see some of the technical details released for this; some of the bugs are wild! Use after frees, buffer overflows, logic bugs... so many weird things!

The developers of this project were 1 in a million. Now that these bugs were found, they chatted with Zach on how to fix them. Furthermore, they asked Zach to help the project setup a fuzzing infrastructure for the project. Overall, he made the world a much more secure place :)