A fuzzy issue of responsible disclosure

Posted Aug 13, 2022 13:18 UTC (Sat) by khim (subscriber, #9252)
In reply to: A fuzzy issue of responsible disclosure by dottedmag
Parent article: A fuzzy issue of responsible disclosure

To show you one example which really impressed me. When Dmitry Vykov just started fuzzing PCI-Express drivers someone had the bright idea to create Thunderbolt contraption with FPGA which was teached to apply “bad sequences” (found by fuzzers) to the live Thunderbolt port. And when they found few dozens of such sequences they tested them with Linux laptop and lo and behold, it successfully crashed it.

That was not surprising. The surprise came when Windows laptop was tested. Most “bad sequences” were ignored (bugs in the independently written code tend to be different), but some of them crashed Windows, too.

Now, think about it: how much chance would they have WRT successful “investigation of results” on Windows?

It's one thing to find out that “this or that violation of specs leads to buffer overrun”. Completely different skillset is to invent the “proper way” to fix these.