I think the biggest implication of this kind of automation is that vendors will absolutely need to start paying attention to their deliverables, whether it's a document format or a protocol, because automated and intelligent fuzzing *will* happen to them.
The corollary to that is that standard formats and protocols are going to become increasingly important, as is documentation of proprietary formats and protocols. Interesting times. Kurt On Fri, May 15, 2009 at 15:12, Marc Maiffret <[email protected]> wrote: > Ben Nagy use to work for me at eEye Digital Security where we helped pioneer > some of the earliest forms of fuzzing before fuzzing was even a word used by > the security industry. The field has changed dramatically in recent years as > one that started with simply spewing randomized data at various protocols and > file types, into the more sophisticated enterprise class applications that we > have today. > > The one positive thing you have to keep in mind is that the reason that all > of us in the research world are advancing the techniques used to discover > vulnerabilities is because it is becoming harder to find vulnerabilities. The > simple fuzzer of yesterday is not affect in finding vulnerabilities and > requires a "cloud fuzzing" type of system that turns fuzzing into more of a > numbers game with some luck of the rolling of devices or malformed data as it > were. The thing you should fear most is the leaps ahead that happen in > vulnerability research, the new classes of attacks, etc... A good example of > this is SQL injection vulnerabilities. > > That being said some people whom have taken a more scientific and well > thought out approach to things like fuzzing can also end up with systems that > are very robust and have great statistics in number of tests and such but > never really find many vulnerabilities. This goes back to one of the core > concepts I use to preach to my researchers over 10 years ago that there are > no mistakes in fuzzing technology for the goal is to be as randomly valid and > invalid all at the same time. > > Bruce Lee said it best, "Using no way as a way, using no limitations as a > limitation." > > Bruce Lee also said something that the security industry has yet to grasp, > "Simplicity is the key to brilliance." > >> -----Original Message----- >> From: Kurt Buff [mailto:[email protected]] >> Sent: Wednesday, May 13, 2009 10:51 AM >> To: NT System Admin Issues >> Subject: The industrialization of hacking >> >> And this is one of the *good* guys. >> >> >> ---------- Forwarded message ---------- >> From: Dave Aitel <[email protected]> >> Date: Tue, May 12, 2009 at 23:12 >> Subject: [Dailydave] Cloud fuzzing. >> To: [email protected] >> >> >> Today at SyScan Ben Nagy of COSEINC gave a talk on a fuzzing cluster >> he's built that does 1.2 million fuzz cases a day against Word 2007. >> As he mentioned, as software gets better, the problem shifts from fuzz >> case generation to crash analysis. If you're generating 200K crashes a >> day, you need to figure out which ones are "interesting". >> >> In the long run, the only answer is a program that writes real >> exploits. Only then can you say for sure something is "interesting". >> He's using !exploitable for WinDBG to get an approximation of the >> problem. It's a talk full of real metrics. >> >> 72 VM's doing Word >> 20 test cases run a second >> 10% cause crashes or so. >> Most of those are unexploitable (he had numbers, but I forget them), >> according to !exploitable. >> >> A small percentage say they are possibly exploitable, and out of >> those, largely false positives. >> >> The problem of fuzzing is exponential, but if you architect your >> fuzzer right, you can scale linearly with your budget. Perhaps your >> budget also grows exponentially? :> >> >> The problems for the future are interesting. Classification of >> potential exploitability is a problem that involves diffing program >> runs, examining programs deeply for structure and behavior, and all >> this has to scale up with your 200K cases a day. >> >> -dave >> _______________________________________________ >> Dailydave mailing list >> [email protected] >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
