Home page logo
/

dailydave logo Dailydave mailing list archives

Re: Cloud fuzzing.
From: Billy Lee <romemeteor () gmail com>
Date: Thu, 14 May 2009 09:13:23 +0800

hi, all

It's a good morning and welcome all of buddies on this Syscan
09 () Shanghai, Things usually work out fine, but it is rather difficult
for me because it's not my normal routine. As opposed to just
discussing the vulnerabilities, like tracing the rootkit behaviors
with BCE etc. and hacking VMware, I have to worry about one question:
Should 0Day Vulnerabilities be TRADED.


What's the ultimate answer for us, as the security enablers, to deal
with the 0Day attacks for our potential customers?

If yes, we must pay a big bunch of money to get the details in an
"legal" way; if not, we've to get a risky dark world to fight with a
poor gun....? Is that true, it is really difficult to make choices. :(

Maybe...or perhaps we could incorporate and facilitate coordination of
all the security resources to reduce the attack surface, but it is
still an endless war.

Wish to enjoy the Shanghai trips, security guys. If you need any help
in Shanghai, please contact me:
Billy.Lee
romemeteor () gmail com
Skype: meteorshow

Antiy Labs
http://www.antiy.net
http://www.antiy.com


On Wed, May 13, 2009 at 11:10 PM, Dave Aitel <dave () kof immunityinc com> wrote:
He's doing pretty deep format aware fuzzing, from what I can tell. But you
still will get false positives (as measured by "obviously exploitable bugs"
versus "obviously not exploitable bugs")

-dave


On Wed, May 13, 2009 at 3:42 AM, Matt Oh <oh.jeongwook () gmail com> wrote:

Nagy works at COSEINC? He was my former colleage :)

Anyway, I'm just curious he was doing format-aware fuzzing or just brute
forcing all the bytes and dwords of the file. In the previous case, the FP
rate will drop drastically compared to second one.
On Tue, May 12, 2009 at 11:12 PM, Dave Aitel <dave () kof immunityinc com>
wrote:

Today at SyScan Ben Nagy of COSEINC gave a talk on a fuzzing cluster
he's built that does 1.2 million fuzz cases a day against Word 2007.
As he mentioned, as software gets better, the problem shifts from fuzz
case generation to crash analysis. If you're generating 200K crashes a
day, you need to figure out which ones are "interesting".

In the long run, the only answer is a program that writes real
exploits. Only then can you say for sure something is "interesting".
He's using !exploitable for WinDBG to get an approximation of the
problem. It's a talk full of real metrics.

72 VM's doing Word
20 test cases run a second
10% cause crashes or so.
Most of those are unexploitable (he had numbers, but I forget them),
according to !exploitable.

A small percentage say they are possibly exploitable, and out of
those, largely false positives.

The problem of fuzzing is exponential, but if you architect your
fuzzer right, you can scale linearly with your budget. Perhaps your
budget also grows exponentially? :>

The problems for the future are interesting. Classification of
potential exploitability  is a problem that involves diffing program
runs, examining programs deeply for structure and behavior, and all
this has to scale up with your 200K cases a day.

-dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave




--
-matt


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]