Alex is a lead security engineer at Trail of Bits. He has over 13 years of experience in the IT industry as a software developer, security engineer, and penetration tester. As a software developer, he has worked and architected mobile and web applications in various languages and frameworks, including .NET, Objective C, and Go. Alex specializes in Go security research and is actively developing static analysis tools for discovering Go vulnerabilities.
Go is a great language that is explicit, simple, and it makes writing concurrency extremely easy. Yet, it suffers from many of the same vulnerabilities you'd encounter in C and C++ applications. Writing concurrent Go code can also be risky, as vicious concurrency bugs can slowly sneak into your application. So, how can you get started discovering vulnerabilities in Go code? This talk will discuss approaches to finding vulnerabilities in Go code and the state of static and dynamic analysis tools for automated discovery of Go vulnerabilities, from static analysis to fuzzing to fault injection. We will learn about common vulnerabilities in Go and how to catch them, whether you are a security researcher or a Go developer.
I will demo three tools:
- Go-fuzz for fuzzing Go applications
- GCatch for detecting concurrency bugs in Go code
- gotico, a tool currently in development for catching library-specific bugs