|
@johnregehr | |||||
|
new blog post: Write Fuzzable Code
blog.regehr.org/archives/1687
in which I express a lack of sympathy for anti-fuzzing measures
|
||||||
|
||||||
|
John Regehr
@johnregehr
|
19. kol |
|
this thread contains a lot of good stuff too, some of which I incorporated into the post directly or indirectly...
twitter.com/johnregehr/sta…
|
||
|
|
||
|
Brendan Dolan-Gavitt
@moyix
|
20. kol |
|
Partly disagree on the anti-fuzzing part – it doesn't prevent devs from using any of the techniques you talk about as alternatives or in the rest of the article. It definitely hinders helpful outsiders but it's closed source anyway so it doesn't seem like it makes a big diff?
|
||
|
|
||
|
Brendan Dolan-Gavitt
@moyix
|
20. kol |
|
If you have to pick between better software dev/safer languages and anti-fuzzing then of course you should prefer the former :)
|
||
|
|
||
|
Sanjay
@tosanjayr
|
20. kol |
|
Just a fun thought. For developers, writing a fuzzable code -> knowing about issues (specially memory bugs) -> writing more secure code anyway-> fuzzer won't find much in fuzzable code. 🤔
|
||
|
|
||
|
John Regehr
@johnregehr
|
20. kol |
|
if this happens it's a win/win!
|
||
|
|
||
|
Martin Hořeňovský
@horenmar_ctu
|
19. kol |
|
I refuse to believe that this
> “But I Want Fuzzing My Code to be Harder, Not Easier”
is anything but a straw man. Otherwise nice article, even if some of it feels to be in the category of "easy to say, hard to do", like avoiding interpreters.
|
||
|
|
||
|
John Regehr
@johnregehr
|
19. kol |
|
look up anti-fuzzing, it is a thing
|
||
|
|
||
|
Mate Soos
@SoosMate
|
20. kol |
|
Good stuff! The hardest part to fuzz test is performance in my experience -- but I have gone over a lot of hurdles over the years for all the other stuff you mention.
I should spend some time on perf fuzzing, but it's hard to know when one hits a bug or it's a hard SAT problem.
|
||
|
|
||
|
John Regehr
@johnregehr
|
20. kol |
|
I basically never try to do random testing for performance, have never figured out how to make this work well
|
||
|
|
||
|
Giovanni Mascellani
@giomasce
|
20. kol |
|
What would you suggest as an introduction to fuzzing for someone who doesn't know nearly anything about it? Asking for a friend...
|
||
|
|
||
|
Stefano Zacchiroli
@zacchiro
|
20. kol |
|
Ciao Gio, I haven't actually read it yet myself, but I'm very positive that Generating Software Tests by @AndreasZeller is a great primer on #fuzzing.
Plus, it's interactive! fuzzingbook.org
|
||
|
|
||