Fuzzing PostgreSQL | POSETTE: An Event for Postgres 2026
Skills:
Network Security70%
Key Takeaways
Introduces fuzzing as a technique for discovering edge-case bugs in PostgreSQL, applying it to the client library libpq
Original Description
Take a closer look at fuzzing in PostgreSQL. Adam Wolk (Microsoft) presents his talk “Fuzzing PostgreSQL” at POSETTE: An Event for Postgres 2026. Abstract: Fuzzing is a simple but powerful technique for discovering edge-case bugs in large, stateful systems like PostgreSQL.
This talk shows how to apply it to Postgres’ client library libpq which handles every network connection before the server sees a query.
We’ll walk through building minimal harnesses, generating and mutating protocol inputs, and reasoning about what makes fuzzing effective on complex C codebases.
The session is meant as a practical guide: how to start fuzzing a Postgres-related project, what challenges to expect, and what kind of issues you can realistically uncover along the way.
In this session you will learn:
* what fuzzing is and why it finds bugs other techniques miss
* which PostgreSQL surfaces make good fuzzing targets and why
* how to apply fuzzing to Postgres networking components (libpq)
If you’re a PostgreSQL developer, this talk will add another tool for improving the stability and security of the projects you build.
Adam Wolk is an openBSD developer interested in database engineering, distributed systems, information security & networking. Adam is an experienced team leader who has developed systems from the ground up from C on ARM devices, through back-end systems in Go, Python and Rails to web front ends in modern JavaScript frameworks - all continuously integrated, deployed and monitored. Currently, Adam is pushing at the edge of distributed SQL as a Principal Program Manager for Azure Database for PostgreSQL at Microsoft.
► Video chapters:
⏩ 0:00 Music & introduction
⏩ 0:47 Speaker intro: security and systems background
⏩ 1:39 What is fuzzing? From random to coverage feedback
⏩ 5:00 Toy C program: 6 branches to a hidden crash
⏩ 8:28 Fuzzers in action: AFL and Honggfuzz
⏩ 10:36 Pulling JPEGs out of thin air: fuzzers as learners
⏩ 11:56 Testing is polite, fuzzing is rude
⏩ 13
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
More on: Network Security
View skill →Related Reads
📰
📰
📰
📰
The Object in Your Field Is Not the Object You Wrote
Medium · Programming
I built an offline CLI that audits a legacy PHP app in one command — and shows you the fix
Dev.to · getobserver
Web Developer Travis McCracken on The Simplicity of Net/HTTP in Go
Dev.to · Travis McCracken Web Developer
Laravel Policies Explained: Protect Your Application the Right Way
Medium · Programming
🎓
Tutor Explanation
DeepCamp AI