Ben Nagy use to work for me at eEye Digital Security where we helped pioneer 
some of the earliest forms of fuzzing before fuzzing was even a word used by 
the security industry. The field has changed dramatically in recent years as 
one that started with simply spewing randomized data at various protocols and 
file types, into the more sophisticated enterprise class applications that we 
have today.

The one positive thing you have to keep in mind is that the reason that all of 
us in the research world are advancing the techniques used to discover 
vulnerabilities is because it is becoming harder to find vulnerabilities. The 
simple fuzzer of yesterday is not affect in finding vulnerabilities and 
requires a "cloud fuzzing" type of system that turns fuzzing into more of a 
numbers game with some luck of the rolling of devices or malformed data as it 
were. The thing you should fear most is the leaps ahead that happen in 
vulnerability research, the new classes of attacks, etc... A good example of 
this is SQL injection vulnerabilities.

That being said some people whom have taken a more scientific and well thought 
out approach to things like fuzzing can also end up with systems that are very 
robust and have great statistics in number of tests and such but never really 
find many vulnerabilities. This goes back to one of the core concepts I use to 
preach to my researchers over 10 years ago that there are no mistakes in 
fuzzing technology for the goal is to be as randomly valid and invalid all at 
the same time.

Bruce Lee said it best, "Using no way as a way, using no limitations as a 
limitation."

Bruce Lee also said something that the security industry has yet to grasp, 
"Simplicity is the key to brilliance."

> -----Original Message-----
> From: Kurt Buff [mailto:[email protected]]
> Sent: Wednesday, May 13, 2009 10:51 AM
> To: NT System Admin Issues
> Subject: The industrialization of hacking
> 
> And this is one of the *good* guys.
> 
> 
> ---------- Forwarded message ----------
> From: Dave Aitel <[email protected]>
> Date: Tue, May 12, 2009 at 23:12
> Subject: [Dailydave] Cloud fuzzing.
> To: [email protected]
> 
> 
> Today at SyScan Ben Nagy of COSEINC gave a talk on a fuzzing cluster
> he's built that does 1.2 million fuzz cases a day against Word 2007.
> As he mentioned, as software gets better, the problem shifts from fuzz
> case generation to crash analysis. If you're generating 200K crashes a
> day, you need to figure out which ones are "interesting".
> 
> In the long run, the only answer is a program that writes real
> exploits. Only then can you say for sure something is "interesting".
> He's using !exploitable for WinDBG to get an approximation of the
> problem. It's a talk full of real metrics.
> 
> 72 VM's doing Word
> 20 test cases run a second
> 10% cause crashes or so.
> Most of those are unexploitable (he had numbers, but I forget them),
> according to !exploitable.
> 
> A small percentage say they are possibly exploitable, and out of
> those, largely false positives.
> 
> The problem of fuzzing is exponential, but if you architect your
> fuzzer right, you can scale linearly with your budget. Perhaps your
> budget also grows exponentially? :>
> 
> The problems for the future are interesting. Classification of
> potential exploitability  is a problem that involves diffing program
> runs, examining programs deeply for structure and behavior, and all
> this has to scale up with your 200K cases a day.
> 
> -dave
> _______________________________________________
> Dailydave mailing list
> [email protected]
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to