How I Learned to Stop Fuzzing and Find More Bugs

Presented at DEF CON 15 (2007), Aug. 3, 2007, 1 p.m. (50 minutes)

Fuzzing and other runtime testing techniques are great at finding certain kinds of bugs. The trick is, effective fuzzing requires a lot of customization. The fuzzer needs to understand the protocol being spoken, anticipate the kinds of things that could go wrong in the program, and have some way to judge whether or not the program has gone into a tailspin. Get this setup wrong, and you end up fuzzing the wrong thing, exercising and re-exercising trivial paths through the program, or just plain missing bugs (as Microsoft did with the .ANI cursor vulnerability). Fuzzing effectively takes a lot of customization and a lot of time. Proponents of fuzzing often avoid static analysis, citing irrelevant results and false positives as key pain points. But is there a more effective way to channel the energy required for good fuzzing in order to find more bugs faster? This presentation will propose a series of techniques for customizing static, rather than dynamic, tools that will let you find more and better-quality bugs than you ever thought possible. We compare static and dynamic approaches to testing and look at: - The fundamental problems involved in fuzzing - Why static analysis is harder for humans to think about than fuzzing - Interfaces for customizing static analysis tools - The kinds of bugs static analysis is good at finding - Why static analysis is both faster and more thorough then fuzzing - Where static analysis tools break down The talk concludes with the results of an experiment we conducted on open-source code to compare the effectiveness of fuzzing and static analysis at finding a known-set of security bugs.

Presenters:

• Jacob West - Manager, Security Research Group, Fortify Software
  Jacob West manages the Security Research Group at Fortify Software, which is responsible for the discovery and categorization of the security issues identified by the company's various software security products. In addition to his research responsibilities, Mr. West spends time in the field working with Fortify's customers. Prior to joining Fortify, Mr. West worked with Dr. David Wagner at UC Berkeley where he contributed to the development of MOPS, a static analysis tool used to discover security vulnerabilities in C programs.

Links:

• https://defcon.org/html/defcon-15/dc-15-speakers.html#West
• https://infocon.org/cons/DEF CON/DEF CON 15/DEF CON 15 video/DEF CON 15 - Jacob West - How I Learned to Stop Fuzzing - Video.mp4
• https://www.youtube.com/watch?v=AFVArjfHppc

Similar Presentations:

• BruCON 0x0A (2018) / Finding security vulnerabilities with modern fuzzing techniques (Short Version) Workshop
• Diana Initiative 2022 / Fuzzing: A Must Have in Your Bug Hunting Arsenal
• BruCON 0x0A (2018) / Finding security vulnerabilities with modern fuzzing techniques Workshop