Re: Commercial Fuzzers

[Matt Hargett <matt () use net>]

Dave Aitel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> RaMatkal wrote:
>
> > Just wandering if anyone on this list has had any experience with a
> > commercial fuzzer such as beStorm
> > (http://www.beyondsecurity.com/BeStorm_Info.htm) and how it/they
> > compare to open source equivalents such as SPIKE....
> I think we all over the last week have gotten a bit of experience with
> the ProtoVer fuzzer, which is probably a lot cheaper the the
> commercial Protos, but clearly produces results. :> I like how there's
> at least one mailing list left that allows a flood of 0day...

I keep hearing great things about Codenomicon for SIP and IKE testing. I 
also consistently hear that they are gouging their customers price-wise 
and that the quality of their UI keeps getting worse with each release. 
That being said, it seems to be the tool of choice for making Cisco, 
Juniper, NetGear, and other equipment completely shit the bed.

In my talk at the Software Security Summit I recommended people use a 
protocol-specific fuzzer rather than a generic fuzzer. It is just too 
much work to get decent code coverage in a generic fuzzer. That being 
said, any fuzzer for a given protocol should get at least 70% code 
coverage in an open source implementation of said protocol.

Fuzzing a whopping 20% of the FreeSWAN code isn't worth a dime, so ask 
whatever vendors you speak to for code coverage numbers.