[fuzzing] Commercial Fuzzers
Christian Wieser
chwieser at ee.oulu.fi
Wed Mar 21 14:43:19 CDT 2007
Hello,
at first, on my background: I have been working at the OUSPG in the
PROTOS project and did fuzzers there. Also, I had worked for 2 years
at Codenomicon.
> I do know that Codenomicon allows you to do a free trial for a time, no
> offense to anyone on the list, I didn't feel that it was a great fuzzer, and
> frankly I wrote a comparable one in Python (w/Peach) in a few hours, the
> particular one that I tried was for HTTP. As well, there is a company that
> builds a fuzzing appliance but the name eludes me currently.
>
Could you be more precise on "comparable"? Fuzzers are coming in a lot
of different flavours. Random vs. structural fuzzing eg. IMHO the art
of creating fuzz test cases lies in finding most bugs with the least test cases
- typically the input space is (practically) indefinite.
And the common HTTP implementations have been fuzzed to death ;)
> The problem with these tools are they are rediculously expensive, you are
> better off hiring someone as a contract programmer to develop your own
> fuzzer that will do EXACTLY what you want, with the instrumentation you
> need. I am willing to bet that the costs will be lower (worst case the same)
> and you will be using something that does what you and your QA/security team
> need.
>
Prizing is something an egghead like me has never understood ;) I do see
however that development, maintenance, support, training does not come
for free. This is typically an area commercial products rule.
Would be interesting to compare the results of the contract
programmer with other products. Knowing precisely the test subject
makes live much easier, but companies doing fuzzers day in and out might
have more experience. Interesting research topic.
> Anyone have any other thoughts?
>
Just my two cents worth ;)
Christian
> JS
>
> -----Original Message-----
> From: Jared DeMott [mailto:demottja at msu.edu]
> Sent: Wednesday, March 21, 2007 10:37 AM
> To: Tom Keetch
> Cc: fuzzing at whitestar.linuxbox.org
> Subject: Re: [fuzzing] Commercial Fuzzers
>
> Tom Keetch wrote:
> > Hey,
> >
> > I'm looking to see what people think of current commercial fuzzers,
> > are they worth the money? Are they too hard to use? What features do they
> lack.
> >
> > Be grateful for any input,
> >
> Great question. I've been wanting to do a commercial fuzzer
> survey/comparison for a long time, but I've had two problems:
> 1.) No time currently
> 2.) They cost money
>
> Any vendors out there have suggestions on how we might solve these two
> problems?
>
> > Many Thanks,
> >
> > Tompsci
> > _______________________________________________
> > fuzzing mailing list
> > fuzzing at whitestar.linuxbox.org
> > http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
> >
> >
> >
>
> _______________________________________________
> fuzzing mailing list
> fuzzing at whitestar.linuxbox.org
> http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
>
> _______________________________________________
> fuzzing mailing list
> fuzzing at whitestar.linuxbox.org
> http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
Christian Wieser
mailto:chwieser at ee.oulu.fi
"Alussa olivat suo, kuokka - ja Jussi"
"Suomen suvi on kaunis. Mutta lyhyt."
Väinö Linna, "Täällä pohjantähden alla", osa 1
More information about the fuzzing
mailing list