Knocking at the Door: Fuzzing libpq and PgBouncer
Fuzzing is a simple but powerful technique for discovering edge-case bugs in large, stateful systems like PostgreSQL.
This talk shows how to apply it to Postgres’ client library libpq and commonly used connection pooler PgBouncer - both handle every network connection before the server sees a query.
We’ll walk through building minimal harnesses, generating and mutating protocol inputs, and reasoning about what makes fuzzing effective on complex C codebases.
The session is meant as a practical guide: how to start fuzzing a Postgres-related project, what challenges to expect, and what kind of issues you can realistically uncover along the way.
In this session you will learn:
- what fuzzing is and why it finds bugs other techniques miss
- which PostgreSQL surfaces make good fuzzing targets and why
- how to apply fuzzing to Postgres networking components (libpq, PgBouncer)
If you’re a PostgreSQL developer, this talk will add another tool for improving the stability and security of the projects you build.