Re: Some Sums

["Dave Aitel" <dave.aitel () gmail com>]

s/CANVAS/SPIKE/g CANVAS is not a fuzzer. SPIKE is a fuzzer. When PROTOS
includes shellcode, you can compare PROTOS and CANVAS.

And the thing about fuzzers is that using them is often harder than writing
them. For example, a lot of programs will die when fuzzed too quickly. Or
they may have one thousand and one ways to trigger a null pointer exception
that you have to avoid. Or they may find many different bugs, each of which
has to be sorted through for exploitability. Maybe they find 5 different
exploitable bugs, but only one of them is reliably exploitable. In other
words, there's a lot of work that goes into turning a fuzzer+vuln proggie
into bugs you can sell. And, of course, there's no easy way to tell that one
fuzzer is any better than the other. 5000 crashes do not equal 1 good
remote. It's not a number game, or even a code coverage game.

For what it's worth, binary analysis, especially automated binary analysis,
suffers from many of the same flaws, and of course you can combine the two
techniques, and then you get to sort through even more unexploitable integer
overflows.

But that's ok, because every single bug is beautiful, right? Some of these
bug-buying programs are like affirmative action for vulnerabilities.

The original SPIKE release did include a GPG'd advisory, and all it did was
make everyone all paranoid. And, of course, I lost the key I used to encrypt
it, so now even I wish I knew what the bug was.

-dave




On 2/8/07, Ari Takanen <ari.takanen () codenomicon com> wrote:
> Hmmm, distantly related to this: Maybe us fuzzer developers should
> save hashes of some millions of attacks somewhere also, so that we can
> prove our tools were used to find the flaws in the first
> place... Looking at past iDefence disclosures for example, I am
> beginning to doubt that they reward for publishing flaws instead of
> finding flaws (this is like patent system in Europe which rewards
> first to file, not first to invent)... More and more flaws are found
> using tools, and pre-packaged attacks. If a flaw is found using a
> product like Codenomicon/PROTOS or CANVAS, I supposed the reward
> should also be paid to the tool developer and not the tool user. ;)
>
> Tongue-in-the-cheek-greetings,
>
> /Ari
>
> > Date: Wed, 7 Feb 2007 02:11:16 -0500 (EST)
> > From: "Steven M. Christey" <coley () mitre org>
> > Subject: Re: [Dailydave] Some Sums
> > To: dailydave () lists immunitysec com
> > Message-ID: <200702070711.l177BGJw026300 () faron mitre org>
> >
> >
> > >   I take it that's going to be the hash of some file or other data
> > >   you're > going to produce for someone at sometime in the future?
> > >   Couldn't you just > have used a ZK protocol and left us all out of
> > >   it? ;-) If you're going to use > our inboxes as substitutes for
> > >   escrow/notarisation centres, you could perhaps > tell us just a
> > >   little bit more about what you're doing!
> >
> > MD5/SHA-1 crackability issues aside*, the next question that
> > immediately comes to mind is why there isn't a central place for
> > researchers to do exactly this - make a claim about knowledge that's
> > provably fixed in a certain place and time.  Oh, wait, we're all
> > individuals and we don't need anybody else.  There's no need to
> > organize in any way, shape, or form.  After all, when Ilfak posted
> > that third-party patch, ABSOLUTELY EVERYBODY knew who he was and
> > immediately trusted him, so why not Halvar?  Sorry, I forgot about the
> > outside world for a second.
> >
> >
> > Snarkily and respectfully,
> > Steve
> >
> >
> > * crypto is my kryptonite, I defer to the geniuses.
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave