Re: Techniques for Vulneability discovery

[Josha Bronson <dmuz () slartibartfast angrypacket com>]

On Fri, Apr 05, 2002 at 09:04:33AM +0800, kaipower said:
> Hi,

Hey! I'm no "expert" but I'll try to add a little...

> How do experts discover vulnerabilities in a system/software?

This of course depends on what it is that you are auditing. Meaning is
the software open source, a binary, local app or a network daemon. There
is different approaches to all of them. Each audit of a given piece of
software has to take what the software is designed to do, and the valid
channels of input into the program into account. This is the starting
place for any audit.

> Do people just run scripts to brute force to find vulnerabilities? (as in
> the case of Buffer overflows)

Absolutely. Local binaries can be tested using any number of "fuzz"
testers. Google can tell you all about these fuzz testers.

> Anybody out there care to give a methodology/strategy in finding
> vulnerabilities?

I'll just list a few that I am familiar with.

1.) source code audit - obviously only applicable when source is
available. Visual inspection of the source code looking for places where
one might be able to take control of or crash the application.

2.) previously discovered techniques - look at problems that have
occurred in similar applications. It's very likely that these same
problems may occur in other applications as well.

3.) perl -e 'print "A"x1000' | foo :)

I'm sure there are many more people on the list who can fill in much
more.
-- 
Josha Bronson
dmuz () angrypacket com
AngryPacket Security