Dailydave mailing list archives

Re: School project start: a fuzzer

From: Jared DeMott <jdemott () crucialsecurity com>
Date: Fri, 08 May 2009 10:13:26 -0400

Martin Zember wrote:

Hi community,

Hi Martin.

I have lots of ideas on fuzzing projects.  For example you could try to
prove my hypothesis that it depends on the use case/target as to which
type of fuzzer is best.  Or you might use the simple file fuzzer from
the back of our book, and compare that to one you create and see which
one does better.  Right now simple fuzzers still rock against soft file
based targets like QuickTime.  Speaking of which I'll be giving training
and talking about such things at ShakaCon in a few weeks if you need a
reason to visit Hawaii.  Other ideas, you might use an existing
framework like Peach and compare results against one you create.  I'm a
big fan of comparisons against known tools, because it gives a reference
point when trying to understand the relative success of your project. 
Heck you might even resurrect EFS it wasn't that complex!

Best wishes,
Jared

could you please give me some advice about a school project? It is an
obligatory team project.

We plan to create a fuzzer. I hope it makes sense to build another fuzzer,
since different fuzzers find different bugs, right..? ;-)

We have a lot of time (9 months, 5 people, 1day per week), but not more, so it
is not a good ground for research. The project should be implemented,
documented, finished, presented. The question is, how deep can we go (what to
promise in the specification)? My guess is that detecting success during
fuzzing only when application crashes is too lame. "Feedback fuzzing" is maybe
too complicated. What is realistic?

Even though it would be nice, we did not find a paid project, which is
interesting enough. We are not obliged to do a fuzzer so other suggestions or
warnings are welcome.

Martin
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave



-- 
__________________________________________
Jared D. DeMott
Senior Security Researcher
Crucial Security Business Area
Harris Corporation
http://crucialsecurity.com
Phone  616.874.7810
Mobile 571.283.4163

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

School project start: a fuzzer Martin Zember (May 08)
- Re: School project start: a fuzzer Jared DeMott (May 08)
- Re: School project start: a fuzzer Agustin Gianni (May 08)
  - Re: School project start: a fuzzer Jon Oberheide (May 08)
- Re: School project start: a fuzzer Arun Koshy (May 08)
- Re: School project start: a fuzzer nnp (May 08)
- Re: School project start: a fuzzer Adrien Krunch Kunysz (May 08)