Twitter | Pretraživanje | |
John Regehr
new blog post: Write Fuzzable Code in which I express a lack of sympathy for anti-fuzzing measures
Reply Retweet Označi sa "sviđa mi se" More
John Regehr 19. kol
Odgovor korisniku/ci @johnregehr
this thread contains a lot of good stuff too, some of which I incorporated into the post directly or indirectly...
Reply Retweet Označi sa "sviđa mi se"
Brendan Dolan-Gavitt 20. kol
Odgovor korisniku/ci @johnregehr
Partly disagree on the anti-fuzzing part – it doesn't prevent devs from using any of the techniques you talk about as alternatives or in the rest of the article. It definitely hinders helpful outsiders but it's closed source anyway so it doesn't seem like it makes a big diff?
Reply Retweet Označi sa "sviđa mi se"
Brendan Dolan-Gavitt 20. kol
Odgovor korisniku/ci @johnregehr
If you have to pick between better software dev/safer languages and anti-fuzzing then of course you should prefer the former :)
Reply Retweet Označi sa "sviđa mi se"
Sanjay 20. kol
Odgovor korisniku/ci @johnregehr
Just a fun thought. For developers, writing a fuzzable code -> knowing about issues (specially memory bugs) -> writing more secure code anyway-> fuzzer won't find much in fuzzable code. 🤔
Reply Retweet Označi sa "sviđa mi se"
John Regehr 20. kol
Odgovor korisniku/ci @tosanjayr
if this happens it's a win/win!
Reply Retweet Označi sa "sviđa mi se"
Martin Hořeňovský 19. kol
Odgovor korisniku/ci @johnregehr
I refuse to believe that this > “But I Want Fuzzing My Code to be Harder, Not Easier” is anything but a straw man. Otherwise nice article, even if some of it feels to be in the category of "easy to say, hard to do", like avoiding interpreters.
Reply Retweet Označi sa "sviđa mi se"
John Regehr 19. kol
Odgovor korisniku/ci @horenmar_ctu
look up anti-fuzzing, it is a thing
Reply Retweet Označi sa "sviđa mi se"
Mate Soos 20. kol
Odgovor korisniku/ci @johnregehr
Good stuff! The hardest part to fuzz test is performance in my experience -- but I have gone over a lot of hurdles over the years for all the other stuff you mention. I should spend some time on perf fuzzing, but it's hard to know when one hits a bug or it's a hard SAT problem.
Reply Retweet Označi sa "sviđa mi se"
John Regehr 20. kol
Odgovor korisniku/ci @SoosMate
I basically never try to do random testing for performance, have never figured out how to make this work well
Reply Retweet Označi sa "sviđa mi se"
Giovanni Mascellani 20. kol
Odgovor korisniku/ci @johnregehr
What would you suggest as an introduction to fuzzing for someone who doesn't know nearly anything about it? Asking for a friend...
Reply Retweet Označi sa "sviđa mi se"
Stefano Zacchiroli 20. kol
Odgovor korisniku/ci @giomasce @johnregehr @AndreasZeller
Ciao Gio, I haven't actually read it yet myself, but I'm very positive that Generating Software Tests by is a great primer on . Plus, it's interactive!
Reply Retweet Označi sa "sviđa mi se"