[fuzzing] I have a dream

nnp version5 at gmail.com
Thu Mar 29 12:08:47 CDT 2007 

On 3/29/07, Ari Takanen <ari.takanen at codenomicon.com> wrote:
> I think a fuzzing portal is a good idea! But instead of sticking into
> one interface description language format, it might be more beneficial
> to collect data to be used for various different open source tools. If
> you decide to promote one format over other, the portal can easily
> become a tool for one or the other fuzzing vendor. I know some
> commercial tool vendors would benefit from the free help you would be
> giving them with XML descriptions (as I suspect some of them are
> already reusing PROTOS which is a potential GPL violation). But I have
> no idea how that would benefit the fuzzing community. I definitely
> think that it is good to have some free solutions that compete with
> the commercial fuzzers. Promoting one specific format that would give
> one of the commercial tool vendors free R&D will make it harder for
> anyone to innovate in that field of research. I am not saying that we
> (Codenomicon) would have any problems eating XML though (nor SDL,
> ASN.1, BNF, TTCN).
>

Hrm, while the idea of being taken advantage of by a vendor isn't
exactly appealing, if thats the price of creating a potentially
incredibly useful protocol specification database then its one thats
worth paying in my opinion. We can't control what vendors do, case in
point being the use of PROTUS, so I don't see much point in worrying
about it.

Be it XML, ABNF, ASN.1 or whatever a coherent database could be
invaluable when creating a fuzzer. It would be interesting to document
exactly how the time in writing a protocol specific fuzzer takes but
from personal experience I spend a rather large amount of the time
dragging protocol specs out of RFC's and ethereal dumps. An easily
parsable specification would lessen this significantly IMHO.

> And finally the sales pitch:
>
> All Codenomicon fuzzing frameworks, protocol models, fuzzing
> algorithms, and anomaly data is 100% internally build. Nothing is
> outsourced.

Haha, I must start counting the number of times 'Codenomicon' appears
in your posts ;)

> --
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> Ari Takanen                       Codenomicon Ltd.
> ari.takanen at codenomicon.com       Tutkijantie 4E
> tel: +358-40 50 67678             FIN-90570 Oulu
> http://www.codenomicon.com        Finland
> PGP: http://www.codenomicon.com/codenomicon-key.asc
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> _______________________________________________
> fuzzing mailing list
> fuzzing at whitestar.linuxbox.org
> http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
>


-- 
http://www.smashthestack.org
http://www.mastersofthewang.com

More information about the fuzzing mailing list