Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: School project start: a fuzzer

From: nnp <version5 () gmail com>
Date: Fri, 8 May 2009 16:01:01 +0100
Are you building a fuzzer or a fuzzing framework? You should check out
Peach to see what functionality it provides. It might be worth your
while to extend the auxiliary functionality of Peach, to 'guided'
fuzzing for example, rather than building a new framework.

If you're doing it as a team and have 9 months, then building a fuzzer
with a feedback loop is definitely do-able. If it were me, I'd
probably build it on top of a dynamic binary analysis framework like
Pin (http://www.pintool.org) or DynamoRIO
(http://code.google.com/p/dynamorio/) both of which are probably fast
enough to be used with a fuzzer as long as you don't have too much
logic in your instrumentation code. DynamoRIO is entirely open source
but Pin has better C++ support and a more active community of users.

You might even consider feeding the information you harvest from the
binary into a fitness function of a genetic algorithm (like Jared
DeMott did with his evolutionary fuzzer) and using that to select the
path/data to fuzz.

A group of us have recently started a wiki aimed at gathering info on
program analysis and verification (http://www.unprotectedhex.com/psv)
that you might find useful. Some of the papers there contain some
inspiration for ways to make a better fuzzer (esp. the paper on DART).

nnp

On Fri, May 8, 2009 at 10:11 AM, Martin Zember <martin.zember () matfyz cz> wrote:

Hi community,

could you please give me some advice about a school project? It is an
obligatory team project.

We plan to create a fuzzer. I hope it makes sense to build another fuzzer,
since different fuzzers find different bugs, right..? ;-)

We have a lot of time (9 months, 5 people, 1day per week), but not more, so it
is not a good ground for research. The project should be implemented,
documented, finished, presented. The question is, how deep can we go (what to
promise in the specification)? My guess is that detecting success during
fuzzing only when application crashes is too lame. "Feedback fuzzing" is maybe
too complicated. What is realistic?

Even though it would be nice, we did not find a paid project, which is
interesting enough. We are not obliged to do a fuzzer so other suggestions or
warnings are welcome.

Martin
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave





-- 
http://www.unprotectedhex.com
http://www.smashthestack.org
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: