Re: Does Fuzzing really work?

[Martin Vuagnoux <dailydave () vuagnoux com>]

ergosum wrote:
> On Wednesday 27 September 2006 17:45, Ian Melven wrote:
>  
> > There's a lot of links to fuzzing papers, tools, and articles here.
> >
> > http://www.threatmind.net/secwiki/FuzzingTools
> >
> >     
>
> Nice resource.   
There is another tool and another paper at 
http://autodafe.sourceforge.net (auto-ads :-)) The version 0.2 is 
imminent with automatic detection of format string and heap overflow 
under Linux. We are working on Windows version of the tracer based on 
PaiMei...

And for Jared who loves Macromedia Flash presentation, :-) there is the 
slides too.

Although Autodafe needs to know the protocol, it uses dissector from 
wireshark/ethereal to convert it automatically, lot of time saved... 
There is a old but efficient project called "Security Bug Catcher" which 
is based on the state of a program. An implementation for FTP, has been 
developed (check: 
http://lasecwww.epfl.ch/~oechslin/projects/bugcatcher/). It has been 
created under the supervision of Philippe Oechslin (yes, the rainbow 
tables).


Regards, Martin
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave