Dailydave mailing list archives
Re: Some Sums
From: "Steven M. Christey" <coley () mitre org>
Date: Mon, 12 Feb 2007 00:58:46 -0500 (EST)
Tom Ptacek said:
2. A lot of people are "finding" things simply by being the first to aim someone else's fuzzer at them. I'm not sure what this implies, but it implies something.
It's a reflection of the disjointed, disorganized, competitive, non-cooperative nature of the vuln research discipline - at least as far as I can tell as an outsider. The fact that some important vulns are found by multiple researchers is also a reflection of this problem, which is at least a problem from the "secure all software for the public good" perspective - maybe not from other perspectives :) And/or, maybe fewer people are using fuzzers than assumed - I'd be interested in hearing what the fuzzer people think. One of the ideas I'll probably never get to implement is to do a chart of major technologies, which vuln types have been found in those technologies, and/or which fuzzers have been aimed at them. That chart would probably have tons of holes in the beginning, but it might at least provide one small mechanism for pointing industrious people in different directions. Take VoIP for example - it's kind of a shame that most VoIP vulns are still in the minimal-complexity, pre-auth, core functionality, obvious "Ax999" and "../../" manipulation stages. Somebody industrious could totally steal this idea (with my blessing) and put a few days of work into it and make something nice out of it, but eh - easier said than done by somebody else. - Steve _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Some Sums Steven M. Christey (Feb 07)
- <Possible follow-ups>
- Re: Some Sums Ari Takanen (Feb 08)
- Re: Some Sums Dave Aitel (Feb 08)
- Re: Some Sums Olef Anderson (Feb 08)
- Re: Some Sums Ari Takanen (Feb 11)
- Re: Some Sums Thomas Ptacek (Feb 11)
- Re: Some Sums Roland Dobbins (Feb 11)
- Re: Some Sums Paul Melson (Feb 12)
- Re: Some Sums Olef Anderson (Feb 13)
- Re: Some Sums Thomas Ptacek (Feb 11)
- Re: Some Sums Steven M. Christey (Feb 12)
- Re: Some Sums Jared DeMott (Feb 12)