Re: School project start: a fuzzer

[Adrien Krunch Kunysz <adrien () kunysz be>]

On Fri, May 08, 2009 at 11:11:29AM +0200, Martin Zember wrote:
> We have a lot of time (9 months, 5 people, 1day per week), but not more, so it
> is not a good ground for research. The project should be implemented,
> documented, finished, presented. The question is, how deep can we go (what to
> promise in the specification)? My guess is that detecting success during
> fuzzing only when application crashes is too lame. "Feedback fuzzing" is maybe
> too complicated. What is realistic?

If you don't have that much experience with managing software projects,
a "simple" fuzzer with all the required flexibility to make it adaptable
to real software seems like a good project that can keep five students
busy for 9*4 = 36 days. However I see this more like an interface design
challenge (how do you make it flexible enough to adapt to most targets
while keeping it easy enough to configure?) than a coding challenge.

> Even though it would be nice, we did not find a paid project, which is
> interesting enough. We are not obliged to do a fuzzer so other suggestions or
> warnings are welcome.

Somewhat related to security, back when I had to find project for a
compiler course at the uni I had this idea to write a pf to iptables
converter. We went with another idea in the end but this may be
interesting to you if that's the sort of thing you are into. I thing
this project can be especially interesting for a uni course considering
you can easily reduce/expand it by choosing to implement more or less
of the iptables/pf options/syntax.

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave