TKK #34: Fundamentals of Fuzz Testing, Explained in Plain Language

​Fuzz testing sounds intimidating and low-level, but at its core it’s a simple idea: throw lots of weird, unexpected inputs at your program and see what breaks. In this session, fuzzing expert Nikolay Shaplov will unpack the fundamentals of fuzz testing in clear, everyday language, with examples you can relate to your own codebase.

​Instead of going deep into academic theory, we’ll focus on why fuzzing matters for real-world software, how it fits into a secure development lifecycle, and what actually happens inside a modern fuzzer like AFL++. You’ll see how fuzzers start from a handful of “seed” inputs and then automatically mutate them — flipping bits, tweaking numbers, injecting dictionary values — to explore thousands of new code paths you’d never think to test by hand.

​We’ll also demystify how coverage-guided fuzzers use compiler instrumentation (for example, afl-clang-fast) to watch which parts of your program execute, and how tools like ASan and UBSan step in when something goes wrong. By the end, you’ll understand how fuzzing can continuously probe your software for hidden crashes, memory bugs, and security vulnerabilities, and how it complements unit tests rather than replacing them.

​No prior fuzzing experience is required. If you’ve ever written C, C++, Perl, or worked on systems where reliability and security matter, this talk will give you a mental model for what fuzzing is, how it works, and how to start experimenting with it in your own workflow.

​Speaker

​Nikolay Shaplov
Fuzzing expert at Postgres Professional
C/C++/Perl developer with 25 years of experience

​Nikolay has spent decades working close to the metal on complex systems, databases, and performance-critical code. At Postgres Professional, he focuses on uncovering subtle bugs and vulnerabilities using fuzzing and other advanced testing techniques, and turning those lessons into practical guidance for everyday developers.