Book Review: Fuzzing Against the Machine (Antonio Nappa, Eduardo Blazquez)

[Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>]

https://www.packtpub.com/product/fuzzing-against-the-machine/9781804614976

The authors claim in their conclusion: "We want to stress the importance of
books as journeys to explore and experience topics from the unique
viewpoint of the authors."

And in this they succeeded. This book works best as a proposed curriculum
for a five day workshop for experts to reproduce fuzzing frameworks that
target embedded platforms - including Android and iOS. Largely this is done
by figuring out how to get various emulation frameworks (QEMU in
particular) to carry the weight of virtualizing a platform and getting
snapshots out of it and pushing data into it.

Fuzzing is a childishly easy concept that is composed of devilishly hard
problems in practice (7 and 8 being the ones this book covers in depth -
the fuzzers themselves are simplistic other than those topics):

   1. Managing scale
   2. Getting decent per-iteration performance
   3. Triaging crashes
   4. Building useful harnesses
   5. Knowing when you have fuzzed enough, vs. being in a local minima
   6. Figuring out root causes
   7. *Getting your fuzzer to properly instrument your target so you can
   have coverage-guided fuzzing*
   8. *Handling weird architectures*
   9. Generating useful starting points for your fuzzer (or input grammars)

All of these things are basically impossible in the real world. Your
typical experience with a new fuzzing framework is that you install it on a
fresh Linux, pick a target, and then watch as it fails to instrument or
even run.

In other words, just knowing which fuzzer versions to use, and on what, is
valuable information.

When I read a book on security, a good one, I want it to feel like I'm
putting on a brand new powersuit, ready to march into the wilderness with a
flamethrower and a mindset of extreme violence. This book delivers that
feeling. Because while my current business practices have nothing to do
with fuzzing the Shannon baseband, that doesn't mean some small part of me
doesn't want to. We all have the dark urge. We crave SIGSEGV in things
people rely on.

So in summary: 10/10, great book. Would recommend buying 10, setting up a
class, and going over it all together. Of course, this field is RAPIDLY
EVOLVING and you're going to want to get it updated, perhaps with the fancy
new PCODE fuzzer Airbus released earlier today. (
https://github.com/airbus-cyber/ghidralligator)

-dave

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org