Dailydave: Re: [fuzzing] Coverage and a recent paper by L. Suto

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Dailydave mailing list archives

Re: [fuzzing] Coverage and a recent paper by L. Suto

From: Alexander Sotirov <alex () sotirov net>
Date: Thu, 25 Oct 2007 20:23:27 -0700

On Thu, Oct 25, 2007 at 01:02:12PM +0200, Nicolas RUFF wrote:

Using the free Fortify SCA 4 software that comes with "static analysis"
book, a buffer overflow condition is always detected (whatever rnd[] value).

Using Microsoft Visual Studio 2005 (Microsoft provided VHD) with
"/analyze", no buffer overflow is detected (whatever rnd[] value).


Using the following perl script two buffer overflows are detected:
cat vuln.c | perl -ne '/rnd\[i\]/ and print "Buffer overflow!\n"'

This post does have a point. Discuss among yourselves.

Alex

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

By Date By Thread

Current thread:

Re: Coverage and a recent paper by L. Suto, (continued)