Dailydave mailing list archives
Re: [fuzzing] Coverage and a recent paper by L. Suto
From: JFV <jv274 () cl cam ac uk>
Date: Thu, 18 Oct 2007 16:07:42 +0200
matthew wollenweber a écrit :
The main downside is that I don't know why it is that finding bugs should depend linearly on anything. is it really true that if run A explores 10 more blocks than run B then run A has a .10 better chance of finding a bug in the program?
What about a fuzzer that cover the whole program paths without covering the whole program cycles ? You could cover 100% of the non-cycling paths but find 0 bugs because all bugs occur when cycling more than what the fuzzer has imposed. Also, not only control flow coverage has to be realized, but also coverage of the variables values. You might wish to cover it completely, in that case fuzzing is a very bad choice : ready to execute at worse 2**64 times the program for fuzzing a double ? A better choice is certainly static analysis by abstract interpretation: approximating the verification using conservative analysis (analyzing a superset of program behaviors represented by a smaller "abstract" domain). This approach is fast, sound (will never miss any bug) but might lead to false positives (consequence of the incompletness theorem), which can be usually eliminated using refinement or partitioning. A very good project based on abstract interpretation is ASTREE: www.astree.ens.fr (by P.Cousot & al) Unfortunately, its not in the public domain and it works only with a subset of the C language (afaik: without recursive functions or dynamic memory allocation). Other very interesting projects for checking real life code are: SLAM: http://research.microsoft.com/slam/ BLAST: http://mtc.epfl.ch/software-tools/blast/ IMHO, these projects provide a much better base than any other analyzers for finding serious bugs. Fuzzers might run forever without finding anything but yea, its easier to code. Anyone of you has experience with binary-level static analyzer or model checkers ? -JFV _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Coverage and a recent paper by L. Suto Dave Aitel (Oct 15)
- Re: Coverage and a recent paper by L. Suto matthew wollenweber (Oct 15)
- Re: Coverage and a recent paper by L. Suto Stephen John Smoogen (Oct 16)
- Re: Coverage and a recent paper by L. Suto Charles Miller (Oct 16)
- Message not available
- Message not available
- Re: [fuzzing] Coverage and a recent paper by L. Suto matthew wollenweber (Oct 17)
- Re: [fuzzing] Coverage and a recent paper by L. Suto JFV (Oct 18)
- Re: [fuzzing] Coverage and a recent paper by L. Suto Nicolas RUFF (Oct 25)
- Re: [fuzzing] Coverage and a recent paper by L. Suto Alexander Sotirov (Oct 26)
- Re: [fuzzing] Coverage and a recent paper by L. Suto Lance M. Havok (Oct 26)
- Re: [fuzzing] Coverage and a recent paper by L. Suto Nicolas RUFF (Oct 27)
- Re: [fuzzing] Coverage and a recent paper by L. Suto Lance M. Havok (Oct 27)
- Re: [fuzzing] Coverage and a recent paper by L. Suto Alexander Sotirov (Oct 28)
- Re: [fuzzing] Coverage and a recent paper by L. Suto Andre Gironda (Oct 29)
- Re: [fuzzing] Coverage and a recent paper by L. Suto J.M. Seitz (Oct 29)
- Re: Coverage and a recent paper by L. Suto matthew wollenweber (Oct 15)
- Re: Coverage and a recent paper by L. Suto J.M. Seitz (Oct 29)