Fuzzers, analyzers, and other Gophers insecticides
10-12, 11:00–11:50 (US/Pacific), The Point

Go is a great language that is explicit, simple, and it makes writing concurrency extremely easy. Yet, it suffers from many of the same vulnerabilities you'd encounter in C and C++ applications. Writing concurrent Go code can also be risky, as vicious concurrency bugs can slowly sneak into your application. So, how can you get started discovering vulnerabilities in Go code? This talk will discuss approaches to finding vulnerabilities in Go code and the state of static and dynamic analysis tools for automated discovery of Go vulnerabilities, from static analysis to fuzzing to fault injection. We will learn about common vulnerabilities in Go and how to catch them, whether you are a security researcher or a Go developer.


Go is a great language that is explicit, simple, and it makes writing concurrency extremely easy. Yet, it suffers from many of the same vulnerabilities you'd encounter in C and C++ applications. Writing concurrent Go code can also be risky, as vicious concurrency bugs can slowly sneak into your application. So, how can you get started discovering vulnerabilities in Go code? This talk will discuss approaches to finding vulnerabilities in Go code and the state of static and dynamic analysis tools for automated discovery of Go vulnerabilities, from static analysis to fuzzing to fault injection. We will learn about common vulnerabilities in Go and how to catch them, whether you are a security researcher or a Go developer. We will focus on:

  • Learning common bugs in Go applications
  • Learn the types of concurrency bugs that are common to Go
  • Discuss the state of tooling for catching and discovering Go bugs and the techniques that they rely on
  • Demonstrate Gotico, a tool currently in development for catching library-specific bugs

Alex is a lead security engineer at Trail of Bits. He has over 13 years of experience in the IT industry as a software developer, security engineer, and penetration tester. As a software developer, he has worked and architected mobile and web applications in various languages and frameworks, including .NET, Objective C, and Go. Alex specializes in Go security research and is actively developing static analysis tools for discovering Go vulnerabilities.

This speaker also appears in: