DEFCON 15: How I Learned to Stop Fuzzing and Find More Bugs

Speaker: Jacob West Manager, Security Research Group, Fortify Software

Fuzzing and other runtime testing techniques are great at finding certain kinds of bugs. The trick is, effective fuzzing requires a lot of customization. The fuzzer needs to understand the protocol being spoken, anticipate the kinds of things that could go wrong in the program, and have some way to judge whether or not the program has gone into a tailspin. Get this setup wrong, and you end up fuzzing the wrong thing, exercising and re-exercising trivial paths through the program, or just plain missing bugs (as Microsoft did with the .ANI cursor vulnerability). Fuzzing effectively takes a lot of customization and a lot of time.

Proponents of fuzzing often avoid static analysis, citing irrelevant results and false positives as key pain points. But is there a more effective way to channel the energy required for good fuzzing in order to find more bugs faster? This presentation will propose a series of techniques for customizing static, rather than dynamic, tools that will let you find more and better-quality bugs than you ever thought possible.

We compare static and dynamic approaches to testing and look at:

- The fundamental problems involved in fuzzing
- Why static analysis is harder for humans to think about than fuzzing
- Interfaces for customizing static analysis tools
- The kinds of bugs static analysis is good at finding
- Why static analysis is both faster and more thorough then fuzzing
- Where static analysis tools break down
The talk concludes with the results of an experiment we conducted on open-source code to compare the effectiveness of fuzzing and static analysis at finding a known-set of security bugs.

For more information visit: http://bit.ly/defcon15_information
To download the video visit: http://bit.ly/defcon15_videos

Видео DEFCON 15: How I Learned to Stop Fuzzing and Find More Bugs канала Christiaan008