[Dailydave] Does Fuzzing really work?
Matt Hargett
matt at use.net
Thu Sep 28 11:30:10 EST 2006
On Thursday 28 September 06 04:48, Martin Vuagnoux wrote:
> ergosum wrote:
> > On Wednesday 27 September 2006 17:45, Ian Melven wrote:
> >> There's a lot of links to fuzzing papers, tools, and articles here.
> >>
> >> http://www.threatmind.net/secwiki/FuzzingTools
> >
> > Nice resource.
>
> There is another tool and another paper at
> http://autodafe.sourceforge.net (auto-ads :-)) The version 0.2 is
> imminent with automatic detection of format string and heap overflow
> under Linux. We are working on Windows version of the tracer based on
> PaiMei...
A contributor to bugreport told me about autodafe and it sounds like a very
pragmatic approach to the problem. Most academics get so hung up on what they
perceive to be a 100% solution that they never produce anything useful to the
world at large. I'm so glad autodafe is out there and re-using existing file
formats from other open source projects. I always wished that Hailstorm's
core engine (a fuzzing product I was QA Manager on, and then a developer on)
would have been open sourced -- Caezar's architecture was very clean and easy
to unit test (once I got around to it).
I'll bet they don't hold back bugfixes to prevent users from finding exploits,
either ;>
PS: My last post to the list didn't come through. I certainly hope it wasn't
censored or purposefully delayed in some way.
More information about the Dailydave
mailing list