Re: Does Fuzzing really work?

["Disco Jonny" <discojonny () gmail com>]

Hi,

It would have been nice if you could have pointed out that your email
was a thinly veiled sales pitch.

On 25/09/06, Aviram Jenik <aviram () beyondsecurity com> wrote:
> There's a lot of talk lately on whether fuzzing can actually be used to find
> vulnerabilities - and more importantly, reliably rule out the existence of
> unknown vulnerabilities.

For a person not working with/for the development team of a product,
it is irrelevant if the bugs are known and not fixed or if they are
unknown.  The game is still on.  And there hasnt really been that much
talk has there, fuzzing will _always_ find bugs, just maybe not what
you want, when you want. and by fuzzing i mean structured testing
using random base inputs (not blindly throwing random shit at a
program, that game is for fools and children)

> Since most of this talk revolves around Dave's note "There are no new
> MSRPC bugs. You should give up looking for them" I thought this was the right
> forum to answer this question.

Only an idiot would claim that there are no bugs in a product.
Testing only proves the presence of bugs, not their absence. I think
he meant that his tool would not find any new bugs.

Has your tool found some? or are you just trying to get more 'air
time' and a bit of controversy?

> only 4 hours to fully test the protocol.

I had a look at the website and all I really saw was 'propaganda' as
apposed to technical information as to how you are generating your
testcases, could you provide some more information on this?  This is
the real point isnt it.  It seems from your email that you are saying
that you have found some algorithms that can reduce the entire testing
space of an application (FTP servers response to data passed via the
protocol in this case) to four weeks.  I dont suppose you would mind
using them to add a few more digits to Omega?

> My point is to those people who mock fuzzers - you either tried the wrong
> kind, or you tried them a long time ago.

I disagree.  I think though the issue is that the people developing
and using them dont really know/understand the testing methodology.
Unless you calculate the exact and complete test surface and attempt
to test that you are screwed.

> 'm not saying that buffer overflows
> are suddenly obsolete (don't delete that ZERT bookmark just yet!). But
> nowadays there is no reason for an FTP server to come out with buffer
> overflows; there's just no excuse.

Just buffer overflows? not heap overflows too? what about sequencing
bugs? what about all the other non design related security issues? I
mean that is just 1 type of bug! huzzah! t3h w0r1D 15 54fz0rz... heh,
please tell me this is about more than just yer common or garden stack
based buffer overflow... and no, i am not going to download your magic
tool, thanks for the offer though.

anyway, im bored of this now.

is there any chance you will discuss the research that went into this?
or is it just marketing?

Cheers,

dj.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave