oss-sec mailing list archives
Re: Re: Fuzzing project brainstorming
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Thu, 20 Nov 2014 14:31:51 -0500
On 11/20/2014 02:23 PM, Hanno Böck wrote:
On Thu, 20 Nov 2014 08:52:15 -0800 "M.T. Roebuck" <marvint.roebuck () inbox lv> wrote:Maybe my problem is that your proposal seems herculean to me but can't help to think it's a reminder or sign that we need to think past the current state of things.Compared to "starting from scratch" starting such a fuzzing project is not herculean, it's more like grabbing the low hanging fruit. But arguments alike come up every now and then. Basically you'll hear two things: "We have to mitigate / sandbox" and "please rewrite everything in [insert favorite non-C programming language]". I don't want to downplay either of these approaches. It's just that you have to be realistic. Nobody will rewrite everything from scratch in rust/go/haskell/whatever any time soon. There are a few interesting projects that try to rewrite key sofware in safer languages (mitls and servo come to mind), but they are few and none of them is in a production state. Our systems we have today - the ones we use to have this discussion, manage our bank accounts and surf the web - have imperfect software written mostly in unsafe languages. I feel fuzzing can improve the state of things a lot.
I agree with this sentiment. I also think this is likely to be a herculean effort, and hopefully not quite a sisyphean one (the boulder should be able to move up the hill a little bit each time). I'm really happy that you're pushing on this, Hanno. even if the only thing that comes out of it is a classification of which projects/libraries insist on "trusted input" that would be a very useful outcome. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Fuzzing project brainstorming, (continued)
- Re: Fuzzing project brainstorming Hanno Böck (Nov 20)
- Re: Fuzzing project brainstorming Sven Kieske (Nov 20)
- Re: Fuzzing project brainstorming Amos Jeffries (Nov 20)
- Re: Fuzzing project brainstorming Gynvael Coldwind (Nov 20)
- Re: Fuzzing project brainstorming Michal Zalewski (Nov 20)
- Re: Fuzzing project brainstorming Alexander Cherepanov (Nov 20)
- Re: Fuzzing project brainstorming Gynvael Coldwind (Nov 20)
- Re: Fuzzing project brainstorming Hanno Böck (Nov 20)
- Re: Fuzzing project brainstorming Hanno Böck (Nov 20)
- Re: Re: Fuzzing project brainstorming Hanno Böck (Nov 20)
- Re: Re: Fuzzing project brainstorming Daniel Kahn Gillmor (Nov 20)
- Re: Fuzzing project brainstorming M.T. Roebuck (Nov 21)