Slashdot Mirror

← Back to Stories (view on slashdot.org)

CERT Releases Basic Fuzzing Framework

Posted by timothy on from the this-field-cannot-be-left-blank dept.

infoLaw passes along this excerpt from Threatpost: "Carnegie Mellon University's Computer Emergency Response Team has released a new fuzzing framework to help identify and eliminate security vulnerabilities from software products. The Basic Fuzzing Framework (BFF) is described as a simplified version of automated dumb fuzzing. It includes a Linux virtual machine that has been optimized for fuzz testing and a set of scripts to implement a software test."

10 of 51 comments (clear)

  1. axfuzz by shird · · Score: 5, Interesting

    in their whitepaper they referenced my 'axfuzz' tool I wrote years ago and even used a modified version of it in their testing. Hope they didn't judge me on that code, it was a pile of crap that I kept hacking together until it finally worked, with no thought to proper software design.

    --
    I.O.U One Sig.
    1. Re:axfuzz by __aasqbs9791 · · Score: 2, Insightful

      I think the fact they are using a modified form means they did judge you, and found it good enough to use as a start. That should count for something.

    2. Re:axfuzz by TubeSteak · · Score: 3, Funny

      Hope they didn't judge me on that code, it was a pile of crap that I kept hacking together until it finally worked, with no thought to proper software design.

      That sounds like exactly the kind of code a fuzzer should be used upon.
      Oh the recursion!

      --
      [Fuck Beta]
      o0t!
  2. hmmm... by thatskinnyguy · · Score: 2, Funny

    The worst case scenario is talking about worse case scenarios thinking about worse case scenarios and letting them possess you.

    --
    The game.
  3. Linky? by Anonymous Coward · · Score: 3, Informative

    Oh FFS, you couldn't even link to the damn framework?

  4. Re:bleh by fuzzyfuzzyfungus · · Score: 2, Insightful

    Dare I inquire as to the thought process behind the notion that the inferiority of an OSS program called "Fuzz" and the superiority of an debian-based VM, running a GPLed perl script automating a WTFPLv2-licenced fuzzer proves the unimpressiveness of OSS?

  5. BFF? by Fnord666 · · Score: 2, Insightful

    BFF? What an unfortunate choice of acronyms.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    1. Re:BFF? by Daniel+Dvorkin · · Score: 3, Funny

      Because it's, like, the security researcher's BFF OMG ponies!

      --
      The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  6. Re:bleh by Daniel+Dvorkin · · Score: 2, Insightful

    If there is one place I've seen worse code than OSS, it would be in academia.

    Bizarrely, this is also where I've seen the most brilliant code.

    If you look closely, you'll find that the "brilliant code" is most often written by academics who have industry programming experience. Similarly, in industry, you will find that the best code is written by experienced programmers with rigorous academic backgrounds. In contrast, the academics who insist that computer science has nothing to do with programming, and the self-taught hackers who proudly proclaim their lack of all that fancy book-larnin', are two sides of the same worthless coin.

    --
    The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  7. Re:Fuzzing is only useful, if only moderately so by mr_mischief · · Score: 2, Informative

    $ time /usr/local/bin/perl -we'("a" x 100) =~ /(a*)(a*)(a*)(a*)(a*)(?i:b)/'
    37.00user 0.01system 0:37.81elapsed 97%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+438minor)pagefaults 0swaps

    $ time /usr/local/bin/perl -we'("a" x 10) =~ /(a*)(a*)(a*)(a*)(a*)(?i:b)/'
    0.00user 0.00system 0:00.00elapsed 75%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+438minor)pagefaults 0swaps

    For a purposely selected pathological case on a Pentium M 1.6 GHz laptop with little free RAM, I'd say that's not bad for a system that has specifically been chosen to support grouping, alternation, backreferences, conditional changes (case sensitivity, prematch, postmatch, etc) on only parts of the expression, greediness and nongreediness, lookahead, and lookbehind. Perl "regular expressions" are definitely not actually regular.

    That's perl 5.12.0 BTW, which is much improved over older series (pre 5.10 anyway) of perl systems regarding regexes.

    Note that if you're okay with intentionally trying and failing to get a case-sensitive rather than case-insensitive 'b' after your pathological quantifiers on the 'a' characters, then you have no such time problem.

    $ time /usr/local/bin/perl -we'("a" x 100) =~ /(a*)(a*)(a*)(a*)(a*)(?:b)/'
    0.00user 0.00system 0:00.00elapsed 80%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+428minor)pagefaults 0swaps

    $ time /usr/local/bin/perl -we'("a" x 1000000) =~ /(a*)(a*)(a*)(a*)(a*)(?:b)/'
    0.00user 0.00system 0:00.00elapsed 85%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+673minor)pagefaults 0swaps

    $ time /usr/local/bin/perl -we'("a" x 1000000000000) =~ /(a*)(a*)(a*)(a*)(a*)(?:b)/'
    0.00user 0.00system 0:00.00elapsed 80%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+426minor)pagefaults 0swaps

    I'm sure the p5p would welcome a patch that delivers the promised matching semantics without performing so poorly on pathological cases.