Fuzzing the PHP Interpreter via Dataflow Fusion
Yuancheng Jiang
34th USENIX Security Symposium (USENIX Security '25) · Day 3 · Software Security 3: Fuzzing
This talk, "Fuzzing the PHP Interpreter via Dataflow Fusion," presented by Yuancheng Jiang at USENIX Security, introduces a novel and highly effective fuzzing methodology designed to uncover deep-seated memory corruption vulnerabilities within the PHP interpreter. PHP, powering over 70% of the world's websites and comprising an extensive codebase of over a million lines of C code, presents a significant and critical attack surface. While much security research has historically focused on application-level vulnerabilities like SQL injection, the underlying C interpreter's low-level memory errors have often been overlooked, despite being a common cause of critical security flaws as evidenced by recent CVEs.
AI review
Solid academic research with a genuinely clever core idea — dataflow fusion as a semantic diversity engine for interpreter fuzzing. 158 bugs, official PHP adoption, and a 20-year-old memory error unearthed are not numbers you manufacture. The methodology is novel enough to matter and transferable enough to be useful beyond PHP.