Re: Fuzzing project brainstorming

["M.T. Roebuck" <marvint.roebuck () inbox lv>]

On Thu, 20 Nov 2014 20:23:09 +0100
Hanno Böck <hanno () hboeck de> wrote:

> Compared to "starting from scratch" starting such a fuzzing project is
> not herculean, it's more like grabbing the low hanging fruit.

Ok but it's a very large space, really infinite. And I didn't mean
my message as a comparison.

> But arguments alike come up every now and then. Basically you'll hear
> two things: "We have to mitigate / sandbox" and "please rewrite
> everything in [insert favorite non-C programming language]".

I think we keep doing what we're doing. But your message was
a reminder that someone somewhere should be thinking hard
about how to replace the "our systems we have today". Not rewrite
but replace.

> I don't want to downplay either of these approaches. It's just that
> you have to be realistic. Nobody will rewrite everything from scratch

Sometimes inspiration comes outta nowhere.

> in rust/go/haskell/whatever any time soon. There are a few interesting

No not going to happen soon, but starting now would be better than
waiting. I guess that's my point. Maybe it has started out there
somewhere already.

> projects that try to rewrite key sofware in safer languages (mitls and
> servo come to mind), but they are few and none of them is in a
> production state.

Don't know them but am curious and will have to look.

> Our systems we have today - the ones we use to have this discussion,
> manage our bank accounts and surf the web - have imperfect software
> written mostly in unsafe languages. I feel fuzzing can improve the
> state of things a lot.

I agree completely and I know you're right.  Sometimes my fuzzing,
some might call it PEBKAC, turns up a thing or two. (^:
Maybe call it involuntary fuzzing instead of stupid-user tricks.