Fuzzing PostgreSQL | POSETTE: An Event for Postgres 2026

Microsoft Developer · Beginner ·🔧 Backend Engineering ·3w ago

Key Takeaways

Introduces fuzzing as a technique for discovering edge-case bugs in PostgreSQL, applying it to the client library libpq

Original Description

Take a closer look at fuzzing in PostgreSQL. Adam Wolk (Microsoft) presents his talk “Fuzzing PostgreSQL” at POSETTE: An Event for Postgres 2026. Abstract: Fuzzing is a simple but powerful technique for discovering edge-case bugs in large, stateful systems like PostgreSQL. This talk shows how to apply it to Postgres’ client library libpq which handles every network connection before the server sees a query. We’ll walk through building minimal harnesses, generating and mutating protocol inputs, and reasoning about what makes fuzzing effective on complex C codebases. The session is meant as a practical guide: how to start fuzzing a Postgres-related project, what challenges to expect, and what kind of issues you can realistically uncover along the way. In this session you will learn: * what fuzzing is and why it finds bugs other techniques miss * which PostgreSQL surfaces make good fuzzing targets and why * how to apply fuzzing to Postgres networking components (libpq) If you’re a PostgreSQL developer, this talk will add another tool for improving the stability and security of the projects you build. Adam Wolk is an openBSD developer interested in database engineering, distributed systems, information security & networking. Adam is an experienced team leader who has developed systems from the ground up from C on ARM devices, through back-end systems in Go, Python and Rails to web front ends in modern JavaScript frameworks - all continuously integrated, deployed and monitored. Currently, Adam is pushing at the edge of distributed SQL as a Principal Program Manager for Azure Database for PostgreSQL at Microsoft. ► Video chapters: ⏩ 0:00 Music & introduction ⏩ 0:47 Speaker intro: security and systems background ⏩ 1:39 What is fuzzing? From random to coverage feedback ⏩ 5:00 Toy C program: 6 branches to a hidden crash ⏩ 8:28 Fuzzers in action: AFL and Honggfuzz ⏩ 10:36 Pulling JPEGs out of thin air: fuzzers as learners ⏩ 11:56 Testing is polite, fuzzing is rude ⏩ 13
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Related Reads

📰
The Object in Your Field Is Not the Object You Wrote
Understand how @Transactional works and why it may silently fail due to proxy classes, and learn how to troubleshoot and resolve these issues
Medium · Programming
📰
I built an offline CLI that audits a legacy PHP app in one command — and shows you the fix
Learn how to build an offline CLI tool to audit legacy PHP apps and get fixes with one command
Dev.to · getobserver
📰
Web Developer Travis McCracken on The Simplicity of Net/HTTP in Go
Learn how to leverage Net/HTTP in Go for simple backend development from web developer Travis McCracken
Dev.to · Travis McCracken Web Developer
📰
Laravel Policies Explained: Protect Your Application the Right Way
Learn how to protect your Laravel application with policies, controlling user actions and permissions
Medium · Programming
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →