Targeted Fuzzing Is Improving Linux Security, Linus Torvalds Says (iu.edu)

← Back to Stories (view on slashdot.org)

Targeted Fuzzing Is Improving Linux Security, Linus Torvalds Says (iu.edu)

Posted by msmash on Thursday October 19, 2017 @05:01AM from the growing-trend dept.

On the sidelines of announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds said fuzzing, which involves stress testing a system by generating random code to induce errors, is helping the community find and fix a range of security vulnerabilities. He wrote: The other thing perhaps worth mentioning is how much random fuzzing people are doing, and it's finding things. We've always done fuzzing (who remembers the old "crashme" program that just generated random code and jumped to it? We used to do that quite actively very early on), but people have been doing some nice targeted fuzzing of driver subsystems etc, and there's been various fixes (not just this last week either) coming out of those efforts. Very nice to see.

62 comments

Min score:

Reason:

Sort:

AI by therealspacebug · 2017-10-19 05:06 · Score: 1

This sound like an area where AI could be really helpful.
1. Re:AI by michelcolman · 2017-10-19 05:37 · Score: 2
  
  Well, this AI is doing a very bad job of impersonating Linus Torvalds. "Very nice to see"? Not a single swear word? No biting sarcasm? There's no way that's the real Linus.
2. Re: AI by Anonymous Coward · 2017-10-19 06:46 · Score: 0
  
  Exactly what I was thinking. If purely random can do this well (yes I know terrible grammar), machine learning could most definitely perform far better.
3. Re:AI by gweihir · 2017-10-19 09:27 · Score: 1
  
  No. It would be completely worthless. Unless you are talking strong AI, but that does not exist.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
4. Re: AI by gladish · 2017-10-19 10:11 · Score: 1
  
  It would be worse than worthless. Any AI worth its salt would develop the same biases that human engineers develop and eventually decide that writing unit tests sucks. Only to eventalually hold down the delete key, albeit by submitting keypress events into the usb bus, until all the code was deleted. Finally then exiting with printf ("i quit")
5. Re:AI by Big+Hairy+Ian · 2017-10-20 01:47 · Score: 1
  
  Sounds like a rubbish test approach. Actually having a test analyst analyse your requirements to determine what the system should and shouldn't do will find more defects and improve your confidence in the overall product. This is just trying random shit with no concept of coverage.
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Apple is improving linux security by Anonymous Coward · 2017-10-19 05:08 · Score: -1

Since darwin is based on linux kernnel, the number of linux patches has been on the rise with strong backing from corporate apple
1. Re:Apple is improving linux security by Anonymous Coward · 2017-10-19 05:21 · Score: 0
  
  Uhhhh.... what... the fuck.
  Darwin is not in any way based on the linux kernel.
2. Re:Apple is improving linux security by Anonymous Coward · 2017-10-19 05:21 · Score: 0
  
  Very funny, troll. Everyone knows Darwin is derived from BSD, NeXTSTEP, and Mach.
3. Re:Apple is improving linux security by Gravis+Zero · 2017-10-19 05:23 · Score: 1
  
  XNU/Darwin is based on FreeBSD and Mach.
  
  --
  Anons need not reply. Questions end with a question mark.
4. Re:Apple is improving linux security by Anonymous Coward · 2017-10-19 05:25 · Score: 0
  
  LOL nice troll. The best way to get a response on the internet is to make an incorrect statement. Up to four suckers already.
5. Re:Apple is improving linux security by the_B0fh · 2017-10-19 05:35 · Score: 1
  
  What in the world are you smoking? Darwin is based on the FreeBSD kernel, a completely different animal.
6. Re:Apple is improving linux security by Anonymous Coward · 2017-10-19 06:17 · Score: -1
  
  What in the world are you smoking? Darwin is based on the FreeBSD kernel, a completely different animal.
  ...and the FreeBSD kernel is based on the Linux 2.4 series kernel.
  Geeze, do I have to correct everybody?
  CAP === 'dollars'
7. Re:Apple is improving linux security by EmeraldBot · 2017-10-19 08:53 · Score: 2
  
  Darwin is not based on the FreeBSD Kernel, Darwin is based on the Mach kernel. Darwin uses a FreeBSD Userland though.
  
  --
  "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
8. Re:Apple is improving linux security by F.Ultra · 2017-10-19 09:37 · Score: 1
  
  Actually the kernel in Darwin (XNU) contains things from both Mach and 4.3BSD.
Thanks for the explanation... by Anonymous Coward · 2017-10-19 05:17 · Score: 1

..I thought "Targeted Fuzzing" was about growing pubic hair in designated patches.
1. Re:Thanks for the explanation... by Anonymous Coward · 2017-10-19 09:47 · Score: 0
  
  ..I thought "Targeted Fuzzing" was about growing pubic hair in designated patches.
  It is. That is exactly what Linus was talking about! Did you even read TFA?
Fuzzing Furry parties by future+assassin · 2017-10-19 05:19 · Score: 2

drop some shrooms and mdma and PLUR your way to random code those security holes out while listening to 4 on the floor Techno.

--
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
1. Re:Fuzzing Furry parties by Anonymous Coward · 2017-10-19 05:29 · Score: 0
  
  drop some shrooms and mdma and PLUR your way to random code those security holes out while listening to 4 on the floor Techno.
  Could not agree more
2. Re:Fuzzing Furry parties by barbariccow · 2017-10-19 08:59 · Score: 1
  
  drop some shrooms and mdma and PLUR your way to random code those security holes out while listening to 4 on the floor Techno.
  Daaaaaaz how its done, son!
Compilers by Anonymous Coward · 2017-10-19 05:19 · Score: 0

Structured fuzzing is also very effective at finding compiler bugs.
1. Re:Compilers by TechyImmigrant · 2017-10-19 05:33 · Score: 1
  
  Structured fuzzing is also very effective at finding compiler bugs.
  Functional fuzzing is very effective at finding bugs in logical inference.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Well, isn't that cute... by Anonymous Coward · 2017-10-19 05:20 · Score: 0

BUT IT'S WRONG!
1. Re:Well, isn't that cute... by Anubis+IV · 2017-10-19 05:45 · Score: 1
  
  Indeed. Everyone knows the Mac's OS switched from a proprietary one to FreeBSD back in 2007 when they also switched from the Motorola 6800 to Intel. Or, at least, that's what NetworkWorld reported last week and has yet to redact or correct...
  You don't suppose the Anonymous Coward that started this thread is the author of that article, do you?
Crashme by ArhcAngel · 2017-10-19 05:24 · Score: 4, Funny

I use the crashme program to generate random code. Then I run it through Google translate and self publish on Amazon. Not a bad way to make a living.

--
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
1. Re:Crashme by sinij · 2017-10-19 05:55 · Score: 4, Funny
  
  I use crashme to generate random code, sprinkle it with various progressive words and submit it to gender studies journals. Apparently I am now a world-leading expert on sociolinguistic micro aggressions.
2. Re: Crashme by Anonymous Coward · 2017-10-19 06:15 · Score: 0
  
  Creimer, is that you?
3. Re:Crashme by EmeraldBot · 2017-10-19 08:58 · Score: 1
  
  I used an RSS Reader to grab all of the headlines in the news, then used crashme to generate random code and then automatically publish on Twitter. Apparently made it to president of USA...
  
  --
  "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
4. Re:Crashme by Anonymous Coward · 2017-10-19 09:02 · Score: 0
  
  Out of date approach. h1bme is the new ultimate fuzzer, it collates code samples from StackOverExchange, then profiles your code for most-used paths and perm-locks those files in the repo.
5. Re:Crashme by Anonymous Coward · 2017-10-19 09:21 · Score: 0
  
  It's funny how absolute fucking dimwits like yourself will cry about so-called "virtue signalling" while parading around making posts like this while jerking each other off with mod points. What else could you even call this but "virtue signalling"?
  Good lord. The spectre of Down Syndrome haunts the tech world.
6. Re:Crashme by Anonymous Coward · 2017-10-19 09:54 · Score: 0
  
  I take it since comments like these seem to be getting through, Slashdot has fiinally stopped being brigaded/shilled post election?
7. Re:Crashme by sinij · 2017-10-20 05:37 · Score: 1
  
  It's funny how absolute fucking dimwits like yourself will cry about so-called "virtue signalling" while parading around making posts like this while jerking each other off with mod points. What else could you even call this but "virtue signalling"?
  Good lord. The spectre of Down Syndrome haunts the tech world.
  You don't have to be a world-leading expert on sociolinguistic micro aggressions to see that you were triggered by what I posted. I apologize for inflicting this trauma on you. I also apologize for my insensitivity of your SJW culture. I did not intend to make fun of your mating rituals, however strange they might appear to the outsider.
Linus Torvalds is SOB... by Anonymous Coward · 2017-10-19 05:39 · Score: -1

If you really want to understand Linus Torvalds and Linux, read "Just for Fun: The Story of an Accidental Revolutionary".
1. Re: Linus Torvalds is SOB... by Anonymous Coward · 2017-10-19 06:16 · Score: 2, Informative
  
  Never mind, I found Creimer, still posting affiliate links. Mod down please.
Question on fuzzing by sinij · 2017-10-19 05:50 · Score: 1

I see a lot of asks to fuzz test ICMP and TCP in hopes of finding application-layer issues in various high-level protocols. I see this as a giant waste of time. Am I wrong?
1. Re: Question on fuzzing by Anonymous Coward · 2017-10-19 06:37 · Score: 1
  
  Definitely Not. Fuzzing can expose incomplete Error Handling or a Lack of validation. All of which are potentially exploitable for Cyber attack.
2. Re:Question on fuzzing by barbariccow · 2017-10-19 09:03 · Score: 1
  
  Am I wrong to hang fuzzy dice from my ICBM?
3. Re: Question on fuzzing by sinij · 2017-10-19 10:18 · Score: 1
  
  I get the idea behind it, but shouldn't it be targeting application layer instead of lower layers?
4. Re: Question on fuzzing by Sique · 2017-10-19 11:20 · Score: 1
  
  Depends on what you are testing. Fuzzing should target the layer you are interested in. If you want to test the application layer, then you have to make sure that at least the IP part of your fuzzed packets is correct, so your packets actually reach the application.
  If on the other hand you are testing the ethernet driver, you could try to send random bits instead of ethernet frames to the interface.
  
  --
  .sig: Sique *sigh*
5. Re: Question on fuzzing by Anonymous Coward · 2017-10-19 11:55 · Score: 0
  
  I get the idea behind it, but shouldn't it be targeting application layer instead of lower layers?
  The bugs at low levels are beneath the security checks. There is no point in exploiting a bug in code that doesn't have permission to do much.
6. Re:Question on fuzzing by Anonymous Coward · 2017-10-20 02:38 · Score: 0
  
  Only if it affects the aerodynamics.
Improving? by Anonymous Coward · 2017-10-19 05:54 · Score: 1

Only 381 Linux Kernel CVE's so far this year. To date, that is 164 more than last year, and by far the greatest number found. 166 code executions found this year, which is more than 8 times all other years COMBINED.
Granted, most of that is on the Android side of things. But at this point, there is more than 1 vulnerability in the linux Kernel found every day, and a code execution found every other day.
Source:
http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33
1. Re:Improving? by coolmoe2 · 2017-10-19 06:18 · Score: 3, Interesting
  
  So just imagine how many undiscovered bugs there are in other OS'es that don't get this level of scrutiny. Im sure the 3 letter agencies could if they wanted. Cheers
2. Re: Improving? by Anonymous Coward · 2017-10-19 06:38 · Score: 0
  
  Thats how NSA wants it to be.
3. Re: Improving? by Anonymous Coward · 2017-10-19 09:29 · Score: 0
  
  In Windows and OSX, we donâ(TM)t even know how many vulnerabilities there are because the code is closed. Linux is far and away the most secure OS kernel. Also, most of the bugs found are local privilege escalations that are hard to exploit. Far more dangerous to the average user are remote exploits.
4. Re:Improving? by gweihir · 2017-10-19 09:29 · Score: 1
  
  Counting-metrics are unsuitable to accurately describe a state-of-affairs. Too simplistic.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:Improving? by F.Ultra · 2017-10-19 09:39 · Score: 1
  
  You just ignored the part from TFA where the improving part was that there where so many CVE's found and fixed due to the fuzzing?
fuzzing works. by OFnow · 2017-10-19 06:00 · Score: 5, Interesting

As maintainer of a small open source library and program I have benefitted immensely from the efforts of a small number of volunteers running fuzzing programs and using Address Sanitizer to locate bugs in the code I maintain. These volunteers have found bugs and reported them and provided testcases useful for regression testing. I am profoundly grateful to these folks.
1. Re:fuzzing works. by godrik · 2017-10-19 06:07 · Score: 1
  
  Any chance you have some pointers on how to do fuzzing correctly? Could be fun to use some of that in testing students code to point out mistakes early on.
2. Re: fuzzing works. by Anonymous Coward · 2017-10-19 06:43 · Score: 1
  
  Just use Common Sense. Flip Bits in integer fields, Insert random crap into String fields, Feed too Long Strings, Feed excessively large Data sets, etc etc.
  Run your Code in valgrind while doing so.
3. Re:fuzzing works. by phantomfive · 2017-10-19 07:14 · Score: 4, Informative
  
  The answer is lots and lots of random input. If you just start injecting random data into a field, you'll find a lot.
  
  The difficult part is that you want the random data to get past the initial sanity checks. To do that, you need to have relatively deep knowledge of the thing you are fuzzing. That is why automated fuzzing tools tend to be a bit frustrating.
  
  --
  "First they came for the slanderers and i said nothing."
4. Re:fuzzing works. by blueg3 · 2017-10-19 07:25 · Score: 2
  
  Use afl.
5. Re:fuzzing works. by Ace17 · 2017-10-19 08:59 · Score: 1
  
  This is surprisingly easy to find crashes using dumb fuzzing (you can look at "radamsa"). To get more accurate results, you can use American Fuzzy Lop, which guides the fuzzing using live coverage information.
6. Re:fuzzing works. by phantomfive · 2017-10-19 10:41 · Score: 2
  
  Incidentally, there has been some good work on improving the quality of fuzzing. In the future we may have fuzzing tools that use genetic algorithms to modify the input and get as deep into the program as they can. I don't know of any tools that have incorporated this yet, but it's an area worth paying attention to.
  
  --
  "First they came for the slanderers and i said nothing."
7. Re:fuzzing works. by complete+loony · 2017-10-19 14:35 · Score: 1
  
  For C code, you can use clang's built in fuzzer. With clang's other sanitizers checking that you aren't triggering any other undesirable behaviour.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Ah, yes. Fuzzing. by Anonymous Coward · 2017-10-19 06:41 · Score: 0

The hail-mary of testing when you just can't find that last &#@$! bug.
"not my letter" by Anonymous Coward · 2017-10-19 07:01 · Score: -1

i dunno, but having two different "alphabets" in same unicode space:
1) A "A" or ">" etc. that has a (fictional) unicode code of say 456 and 223.
2) A "A" or ">" etc. that has a (fictional) unicode code of 2076 and 4432. All >1024.
For Input's to compileD programs only Unicode code larger-then 1024 are filtered and allowed.
For running programs or for programming only Unicode code smaller then 1024 is allowed ...?
Thus all Input's larger-then 1024 by a "program user" cannot alter the code.
However the program path can still be shitty :]
1. Re:"not my letter" by barbariccow · 2017-10-19 09:05 · Score: 1
  
  Is this some sort of commentary on microsoft's propriatary quote character? I'm confused.
Reminds me of bugs found by accident by shoor · 2017-10-19 09:58 · Score: 1

Back in the 70s when there were various mini computer manufacturers each with their own architecture. I worked for one of those, and we tested our code. I don't think anybody did deliberate 'fuzzing' (though I do believe a concept kinda like that was talked about.) But some pretty hairy bugs were found by accident. People making typos when trying to enter legitimate commands, that kind of thing.

--
In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
1. Re:Reminds me of bugs found by accident by Anonymous Coward · 2017-10-19 19:38 · Score: 0
  
  Isn't that how most bugs are found?
2. Re:Reminds me of bugs found by accident by shoor · 2017-10-20 03:45 · Score: 1
  
  Well, some bugs are found not by typos but by doing exactly what the manual says. Something that should've been tested and wasn't.
  How they're found may also depend on how you define 'bug'. To me, most bugs are found by testing, but if you consider testing to be part of the design process, and a bug is found only after the design process is completed, then, by definition, bugs are not found by deliberate testing.
  
  --
  In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
Finally by thadtheman · 2017-10-19 12:28 · Score: 1

A good use for systemd