[fuzzing] Hey all

nnp version5 at gmail.com
Mon Mar 17 08:31:00 CDT 2008 

On Mon, Mar 17, 2008 at 1:10 PM, Andre Gironda <andre at operations.net> wrote:

> On Mon, Mar 17, 2008 at 5:14 AM, nnp <version5 at gmail.com> wrote:
> nnp,
>
> Thanks for focusing on the two issues from my email that I care the
> least about, but were most important for you to answer to appear
> intelligent compared to the rest of the group.  Care to comment on any
> of the rest of my original post?
>

Erm... if you don't care about the topics then why mention them in your post
and take up two paragraphs to do so? Or is it that you just don't like it
when people disagree with you? And no, I don't care to comment on the rest
of your post because its not particularly interesting. The only reason I
commented on the part I did is that you seem to have some misconceptions
that I thought you might like cleared up.


> > applications). Autodafe, GPF, Flayer, Bunny the Fuzzer etc. All these
> tools
> > are far more advanced than what is publicly available to do the same on
> > Windows. As for not targetting anything besides stack-based buffer
> > overflows, I think if you look at the fuzz strings people were using as
> far
> > back as SPIKE you can see strings for integer issues, unicode issues,
> format
> > string vulnerabilities, directory traversal, command execution and SQL
> > injection.
>
> I'm familiar with all of these.  That doesn't change my point.  My
> point was that most testers are too specialized and obsessed with
> classic vulnerabilities/exploits on Windows.
>

So evidence to the contrary doesn't change your opinion? Interesting.


>
> To further my point even more, all of the vulnerabilities/tools you
> named are still quite classic (and/or outdated).


Outdated?  Do you even know what those tools do or how they work?

What about
> heap-based attacks, attacks on pipes, problems with signals, issues
> with time & state,


How are these types of attacks any less popular than stack based overflows?
Just because all you or the people you surround yourself with only know/care
about these issues doesn't mean everyone else does. A decent security
auditor isn't going to have a 'favourite' bug class they only target. They
will take whatever they can get. Also, could you please explain how fuzzing
tools are more likely to target stack based overflows that heap based
overflows? I'm really curious about that.

as well as many of the other less-popular (or
> should I say less understood?) software weaknesses?  I admit that
> traversals are interesting, but everything at the access level is
> relatively classic and played out.  Most are just flatly "input
> validation" problems that can be tested for with unit testing.
>

Indeed they can be. But then again, every exploitable bug class I can think
of besides design level bugs can be tested for. The problem is, they aren't.
Or it isn't done properly.


> > > Does vulnerability research include exploit writing?
> >
> > I think it depends on your job. ... If you work
> > for a company that does security assessments or vulnerability research
> then
> > sometimes it can be difficult to convince the client that the issue you
> are
> > reporting is a) exploitable in the real world or b) a serious issue. In
> this
> > case an exploit can often get your point across easier than an argument.
>
> I read in a book on "Secure Programming" once that this is the
> "Exploitability trap" and not to fall into it.  I say go for the easy
> argument.  Code is either obviously secure, ambiguous, or obviously
> insecure.  If the code is obviously insecure or ambiguous - it must be
> made "obviously secure".  Client still doesn't understand?  Ask the
> client if they would like for you to outsource the writing of the
> exploit to a bunch of Chinese programmers you met on an underground
> forum or irc channel.  I hear crowdsourcing is popular these days.
>
> Back to the original topic, I think that any new certifications will
> hurt us more than help.  I think this because "security professionals
> / vulnerability researchers" are already a bunch of white males with
> 5-20 of information security experience and close to zero experience
> outside of our own industry.


Nice generalisation there.


> Can we pigeon-hole ourselves and be
> over-specialized any more than we already are?  Would this be a good
> thing?
>
> Cheers,
> Andre
>



-- 
http://www.smashthestack.org
http://www.unprotectedhex.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.whitestar.linuxbox.org/pipermail/fuzzing/attachments/20080317/846a4da7/attachment.htm

More information about the fuzzing mailing list