Cloud fuzzing.

[Dave Aitel <dave () kof immunityinc com>]

Today at SyScan Ben Nagy of COSEINC gave a talk on a fuzzing cluster
he's built that does 1.2 million fuzz cases a day against Word 2007.
As he mentioned, as software gets better, the problem shifts from fuzz
case generation to crash analysis. If you're generating 200K crashes a
day, you need to figure out which ones are "interesting".

In the long run, the only answer is a program that writes real
exploits. Only then can you say for sure something is "interesting".
He's using !exploitable for WinDBG to get an approximation of the
problem. It's a talk full of real metrics.

72 VM's doing Word
20 test cases run a second
10% cause crashes or so.
Most of those are unexploitable (he had numbers, but I forget them),
according to !exploitable.

A small percentage say they are possibly exploitable, and out of
those, largely false positives.

The problem of fuzzing is exponential, but if you architect your
fuzzer right, you can scale linearly with your budget. Perhaps your
budget also grows exponentially? :>

The problems for the future are interesting. Classification of
potential exploitability  is a problem that involves diffing program
runs, examining programs deeply for structure and behavior, and all
this has to scale up with your 200K cases a day.

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave