Secure Coding mailing list archives
Re: Theoretical question about vulnerabilities
From: Crispin Cowan <crispin () immunix com>
Date: Tue, 12 Apr 2005 15:34:42 +0100
Nash wrote: ****** It would be extremely interesting to know how many exploits could be expected after a reasonable period of execution time. It seems that as execution time went up we'd be less likely to have an exploit just "show up". My intuition could be completely wrong, though. I would think that "time" is pretty much irrelevant, because it depends on the intelligence used to order the inputs you try. For instance, time-to-exploit will be very long if you feed inputs to (say) Microsoft IIS starting with one byte of input and going up in ASCII order. Time-to-exploit gets much shorter if you use a "fuzzer" program: an input generator that can be configured with the known semantic inputs of the victim program, and that focuses specifically on trying to find buffer overflows and printf format string errors by generating long strings and using strings containing %n. Even among fuzzers, time-to-exploit depends on how intelligent the fuzzer is in terms of aiming at the victim program's data structures. There are many specialized fuzzers aimed at various kinds of applications, aimed at network stacks, aimed at IDS software, etc. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- Re: Theoretical question about vulnerabilities, (continued)
- Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 12)
- Re: Theoretical question about vulnerabilities der Mouse (Apr 12)
- RE: Theoretical question about vulnerabilities David Crocker (Apr 12)
- Re: Theoretical question about vulnerabilities der Mouse (Apr 12)
- RE: Theoretical question about vulnerabilities David Crocker (Apr 13)
- Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 13)
- RE: Theoretical question about vulnerabilities David Crocker (Apr 14)
- Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 15)
- RE: Theoretical question about vulnerabilities David Crocker (Apr 17)
- Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 12)
- Re: Theoretical question about vulnerabilities der Mouse (Apr 13)
- Re: Theoretical question about vulnerabilities Nash (Apr 13)
- RE: Theoretical question about vulnerabilities David Crocker (Apr 13)
- Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 13)
- RE: Theoretical question about vulnerabilities David Crocker (Apr 14)