Dailydave mailing list archives

Re: [fuzzing] Coverage and a recent paper by L. Suto

From: JFV <jv274 () cl cam ac uk>
Date: Thu, 18 Oct 2007 16:07:42 +0200

matthew wollenweber a écrit :


    The main downside is that I don't know why it is that finding bugs
    should depend linearly on anything. is it really true that if run A
    explores 10 more blocks than run B then run A has a .10 better
    chance of
    finding a bug in the program?


What about a fuzzer that cover the whole program paths without
covering the whole program cycles ? You could cover 100% of the
non-cycling paths but find 0 bugs because all bugs occur when cycling
more than what the fuzzer has imposed.

Also, not only control flow coverage has to be realized, but also
coverage of the variables values. You might wish to cover it completely,
in that case fuzzing is a very bad choice : ready to execute at worse
2**64 times the program for fuzzing a double ?

A better choice is certainly static analysis by abstract interpretation:
approximating the verification using conservative analysis (analyzing
a superset of program behaviors represented by a smaller "abstract"
domain). This approach is fast, sound (will never miss any bug) but
might lead to false positives (consequence of the incompletness
theorem), which can be usually eliminated using refinement or partitioning.

A very good project based on abstract interpretation is ASTREE:

www.astree.ens.fr (by P.Cousot & al)

Unfortunately, its not in the public domain and it works only with
a subset of the C language (afaik: without recursive functions
or dynamic memory allocation).

Other very interesting projects for checking real life code are:

SLAM: http://research.microsoft.com/slam/
BLAST: http://mtc.epfl.ch/software-tools/blast/

IMHO, these projects provide a much better base than any other
analyzers for finding serious bugs. Fuzzers might run forever
without finding anything but yea, its easier to code.

Anyone of you has experience with binary-level static analyzer
or model checkers ?

-JFV

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Coverage and a recent paper by L. Suto Dave Aitel (Oct 15)
- Re: Coverage and a recent paper by L. Suto matthew wollenweber (Oct 15)
  - Re: Coverage and a recent paper by L. Suto Stephen John Smoogen (Oct 16)
  - Re: Coverage and a recent paper by L. Suto Charles Miller (Oct 16)
    - Message not available
    - Message not available
    - Re: [fuzzing] Coverage and a recent paper by L. Suto matthew wollenweber (Oct 17)
    - Re: [fuzzing] Coverage and a recent paper by L. Suto JFV (Oct 18)
    - Re: [fuzzing] Coverage and a recent paper by L. Suto Nicolas RUFF (Oct 25)
    - Re: [fuzzing] Coverage and a recent paper by L. Suto Alexander Sotirov (Oct 26)
    - Re: [fuzzing] Coverage and a recent paper by L. Suto Lance M. Havok (Oct 26)
    - Re: [fuzzing] Coverage and a recent paper by L. Suto Nicolas RUFF (Oct 27)
    - Re: [fuzzing] Coverage and a recent paper by L. Suto Lance M. Havok (Oct 27)
    - Re: [fuzzing] Coverage and a recent paper by L. Suto Alexander Sotirov (Oct 28)
    - Re: [fuzzing] Coverage and a recent paper by L. Suto Andre Gironda (Oct 29)
    - Re: [fuzzing] Coverage and a recent paper by L. Suto J.M. Seitz (Oct 29)
- Re: Coverage and a recent paper by L. Suto Adriel Desautels (Oct 29)
  - Re: Coverage and a recent paper by L. Suto J.M. Seitz (Oct 29)