Slashdot Mirror
CERT Releases Basic Fuzzing Framework
infoLaw passes along this excerpt from Threatpost: "Carnegie Mellon University's Computer Emergency Response Team has released a new fuzzing framework to help identify and eliminate security vulnerabilities from software products. The Basic Fuzzing Framework (BFF) is described as a simplified version of automated dumb fuzzing. It includes a Linux virtual machine that has been optimized for fuzz testing and a set of scripts to implement a software test."
Anything that you write that uses a regex you should beat on with some fuzzing logic, since they can tend to increase in computational time non-linearly, and next thing you know you got a DOS on your hands.
TIP OF THE DAY for you FROM ME
Dare I inquire as to the thought process behind the notion that the inferiority of an OSS program called "Fuzz" and the superiority of an debian-based VM, running a GPLed perl script automating a WTFPLv2-licenced fuzzer proves the unimpressiveness of OSS?
BFF? What an unfortunate choice of acronyms.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
If there is one place I've seen worse code than OSS, it would be in academia.
Bizarrely, this is also where I've seen the most brilliant code.
If you look closely, you'll find that the "brilliant code" is most often written by academics who have industry programming experience. Similarly, in industry, you will find that the best code is written by experienced programmers with rigorous academic backgrounds. In contrast, the academics who insist that computer science has nothing to do with programming, and the self-taught hackers who proudly proclaim their lack of all that fancy book-larnin', are two sides of the same worthless coin.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
I think the fact they are using a modified form means they did judge you, and found it good enough to use as a start. That should count for something.