Recent Features
| |||||||||||||
Jones: system call abuseJones: system call abusePosted Nov 9, 2010 22:34 UTC (Tue) by Wummel (subscriber, #7591)Parent article: Jones: system call abuse
Dave also makes some implicit statements here which I think are the reasons why fuzzing is not more widely seen in application or API development:
a) usable fuzzing requires in-depth or expert knowledge of the function that is to be tested b) it requires quite a lot of work to get useful fuzzing results (ie. detecting "real" bugs)
So with this in mind I am happy Dave is investing his time to do such useful security testing :-)
(Log in to post comments)
Jones: system call abuse Posted Nov 9, 2010 23:12 UTC (Tue) by wahern (subscriber, #37304) [Link]
Much of that in-depth knowledge can be determined by a program. See KLEE (http://klee.llvm.org/).
With KLEE you flag interesting variables and then it attempts to examine all the possible code paths dependent on the value (e.g. range) of that variable, generating test cases to intelligently fuzz those paths.
The more code KLEE must examine the more time it takes (hours or days or forever), and it can only handle deterministic code (i.e. no user input), so KLEE is a tool, not a solution. But a very interesting tool.
Jones: system call abuse Posted Nov 9, 2010 23:33 UTC (Tue) by wahern (subscriber, #37304) [Link]
An example analogous to the `rand() % 3' case: http://blog.llvm.org/2010/04/whats-wrong-with-this-code.html
Jones: system call abuse Posted Nov 9, 2010 23:45 UTC (Tue) by dmarti (subscriber, #11625) [Link] Also from Dave: user space sucks...so if you know how it sucks from that tool, you know possible values to pass into this tool?
Jones: system call abuse Posted Nov 10, 2010 0:19 UTC (Wed) by proski (subscriber, #104) [Link]
That's a wonderful example of a program being smarter than the user expected it to be!
|
|||||||||||||