Dailydave mailing list archives

Re: A change

From: Lurene Grenier <pusscat () metasploit com>
Date: Wed, 27 Jan 2010 10:24:05 -0500

I think that while finding 0-days might be 'not terribly difficult',
selecting and properly weaponising useful 0-days from the masses of
dreck your fuzzer spits out IS difficult - at least in my experience.
There was some discussion of the 'too many bugs' problem on this list
previously and I know several of the other fuzzing guys are currently
researching  the same area.


I really feel that the "selecting good crashes" problem is not that
hard to overcome if you have a proper bucketing system, and the
ability to do just a bit of auto-triage at crash time.  For example,
the fuzzer I use now both separates crashes by what it perceives to be
the base issue at hand, and provides a brief notes file with some
information about the crash and what is controlled.  This requires
just a bit of sense in providing fuzzed input, and very little smarts
on the part of the debugger. I really think the next step is
automating that brain-jutsu; much of it is hard to keep in your head,
but not hard to do in code.

Using this output, it's pretty easy to spend a lazy morning with your
coffee grepping the notes files for the sorts of things you usually
find to be reliably exploitable.  From there you can call in your 30
ninjas and have at.

Creating reliable exploits is for sure the hardest part, but once
you've done the initial work on a program, the next few exploits in it
are of course more quickly and easily done.

As for the thought experiment, I think that the benefit of the top
four researchers is that they've trained themselves over a long period
of time (and with passion) to have a very good set of
pattern-recognition tools which they call instincts.  They know how to
get crashes, and they know having seen one crash what's likely to find
more.  They know how to think about a process to get proper execution,
and they're rewarded by success emotionally which makes the lesson
learned this time around stick for when they need it again.

I honestly think that there is more pattern recognition
"muscle-memory" type skill involved in RE, bug hunting, and exploit
dev than pure mechanical process, which is why the numbers are so
skewed.  It's like taking 4 native speakers of a language (who love to
read!) and 100 students of general linguistics with a zillion dollars.
 Who will read a book in the language faster?

-- 
~ Lurene
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: A change, (continued)
- - Re: A change delchi delchi (Jan 20)
- Re: A change Nelson Brito (Jan 18)
  - Re: A change val smith (Jan 19)
  - Re: A change Matthew Wollenweber (Jan 20)
    - Re: A change Marius (Jan 20)
    - Re: A change Jim Manico (Jan 20)
    - Re: A change Menerick, John (Jan 24)
    - Re: A change Ben Nagy (Jan 26)
    - Re: A change Rodrigo Rubira Branco (BSDaemon) (Jan 27)
    - Re: A change Nick FitzGerald (Jan 27)
    - Re: A change Lurene Grenier (Jan 27)
    - Re: A change Dragos Ruiu (Jan 28)
- Re: A change Dragos Ruiu (Jan 20)
- Re: A change Haroon Meer (Jan 19)
  - Re: A change alexm (Jan 20)