Dailydave mailing list archives
Re: Does Fuzzing really work?
From: "Disco Jonny" <discojonny () gmail com>
Date: Tue, 26 Sep 2006 23:19:50 +0100
Hi, It would have been nice if you could have pointed out that your email was a thinly veiled sales pitch. On 25/09/06, Aviram Jenik <aviram () beyondsecurity com> wrote:
There's a lot of talk lately on whether fuzzing can actually be used to find vulnerabilities - and more importantly, reliably rule out the existence of unknown vulnerabilities.
For a person not working with/for the development team of a product, it is irrelevant if the bugs are known and not fixed or if they are unknown. The game is still on. And there hasnt really been that much talk has there, fuzzing will _always_ find bugs, just maybe not what you want, when you want. and by fuzzing i mean structured testing using random base inputs (not blindly throwing random shit at a program, that game is for fools and children)
Since most of this talk revolves around Dave's note "There are no new MSRPC bugs. You should give up looking for them" I thought this was the right forum to answer this question.
Only an idiot would claim that there are no bugs in a product. Testing only proves the presence of bugs, not their absence. I think he meant that his tool would not find any new bugs. Has your tool found some? or are you just trying to get more 'air time' and a bit of controversy?
only 4 hours to fully test the protocol.
I had a look at the website and all I really saw was 'propaganda' as apposed to technical information as to how you are generating your testcases, could you provide some more information on this? This is the real point isnt it. It seems from your email that you are saying that you have found some algorithms that can reduce the entire testing space of an application (FTP servers response to data passed via the protocol in this case) to four weeks. I dont suppose you would mind using them to add a few more digits to Omega?
My point is to those people who mock fuzzers - you either tried the wrong kind, or you tried them a long time ago.
I disagree. I think though the issue is that the people developing and using them dont really know/understand the testing methodology. Unless you calculate the exact and complete test surface and attempt to test that you are screwed.
'm not saying that buffer overflows are suddenly obsolete (don't delete that ZERT bookmark just yet!). But nowadays there is no reason for an FTP server to come out with buffer overflows; there's just no excuse.
Just buffer overflows? not heap overflows too? what about sequencing bugs? what about all the other non design related security issues? I mean that is just 1 type of bug! huzzah! t3h w0r1D 15 54fz0rz... heh, please tell me this is about more than just yer common or garden stack based buffer overflow... and no, i am not going to download your magic tool, thanks for the offer though. anyway, im bored of this now. is there any chance you will discuss the research that went into this? or is it just marketing? Cheers, dj. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Does Fuzzing really work?, (continued)
- Re: Does Fuzzing really work? Ian Melven (Sep 27)
- Re: Does Fuzzing really work? ergosum (Sep 27)
- Re: Does Fuzzing really work? Jared DeMott (Sep 27)
- Re: Does Fuzzing really work? Martin Vuagnoux (Sep 28)
- Re: Does Fuzzing really work? Jared DeMott (Sep 28)
- Re: Does Fuzzing really work? Matt Hargett (Sep 28)
- Re: Does Fuzzing really work? Jared DeMott (Sep 29)