Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Dave Aitel (davekof.immunityinc.com)
Date: Wed May 13 2009 - 10:10:55 CDT
He's doing pretty deep format aware fuzzing, from what I can tell. But you
still will get false positives (as measured by "obviously exploitable bugs"
versus "obviously not exploitable bugs")
On Wed, May 13, 2009 at 3:42 AM, Matt Oh <oh.jeongwookgmail.com> wrote:
> Nagy works at COSEINC? He was my former colleage :)
> Anyway, I'm just curious he was doing format-aware fuzzing or just brute
> forcing all the bytes and dwords of the file. In the previous case, the FP
> rate will drop drastically compared to second one.
> On Tue, May 12, 2009 at 11:12 PM, Dave Aitel <davekof.immunityinc.com>wrote:
>> Today at SyScan Ben Nagy of COSEINC gave a talk on a fuzzing cluster
>> he's built that does 1.2 million fuzz cases a day against Word 2007.
>> As he mentioned, as software gets better, the problem shifts from fuzz
>> case generation to crash analysis. If you're generating 200K crashes a
>> day, you need to figure out which ones are "interesting".
>> In the long run, the only answer is a program that writes real
>> exploits. Only then can you say for sure something is "interesting".
>> He's using !exploitable for WinDBG to get an approximation of the
>> problem. It's a talk full of real metrics.
>> 72 VM's doing Word
>> 20 test cases run a second
>> 10% cause crashes or so.
>> Most of those are unexploitable (he had numbers, but I forget them),
>> according to !exploitable.
>> A small percentage say they are possibly exploitable, and out of
>> those, largely false positives.
>> The problem of fuzzing is exponential, but if you architect your
>> fuzzer right, you can scale linearly with your budget. Perhaps your
>> budget also grows exponentially? :>
>> The problems for the future are interesting. Classification of
>> potential exploitability is a problem that involves diffing program
>> runs, examining programs deeply for structure and behavior, and all
>> this has to scale up with your 200K cases a day.
>> Dailydave mailing list
Dailydave mailing list