ianG writes: > On 26/03/12 07:43 AM, Jon Callas wrote: > > >This is precisely the point I've made: the budget way to break crypto is to > >buy a zero-day. And if you're going to build a huge computer center, you'd > >be better off building fuzzers than key crackers. > > point of understanding - what do you mean by fuzzers?
Automatically trying to make software incur faults with large amounts of randomized (potentially invalid) input. https://en.wikipedia.org/wiki/Fuzz_testing If you get an observable fault you can repeat the process under a debugger and try to understand why it occurred and whether it is an exploitable bug. Here's a pretty detailed overview: https://www.blackhat.com/presentations/bh-usa-07/Amini_and_Portnoy/Whitepaper/bh-usa-07-amini_and_portnoy-WP.pdf When it was first invented, fuzzing basically just consisted of feeding random bytes to software, but now it can include sophisticated understanding of the kinds of data that a program expects to see, with some model of the internal state of the program. I believe there are also fuzzers that examine code coverage, so they can give feedback to the tester about whether there are parts of the program that the fuzzer isn't exercising. -- Seth David Schoen <[email protected]> | No haiku patents http://www.loyalty.org/~schoen/ | means I've no incentive to FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150 | -- Don Marti _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
