The buzz about fuzzers

Free Newsletters

Log-in | Register

SECURITY ADVISER

The buzz about fuzzers When you've got to have secure code -- and everyone does -- fuzzers can help
By Roger A. Grimes September 09, 2005			E-mail Printer Friendly Reprints Slashdot It!

Writing perfect secure code is hard. Daniel J. Bernstein has probably come the closest to it in practical, publicly released software. With his almost maniacal drive for security perfection, he has written multitudes of software that remain unbroken.

Free IT resource

Open Source Business Conference (OSBC) May 22-23, 2007

Sponsored by Dell

There was a reported bug in one of his mailing programs, but it was so obscure and unlikely to be used in real life that he refused to call it a security bug. You might be able to argue that point, but the fact is, that's only one obscure bug over many years of programming. Not many professional programmers can say that.

Then again, I haven’t seen him manage a large team of programmers writing millions of lines of code. I suspect that making a large team of programmers as passionate and careful about security programming as he is would prove more difficult than writing perfect code.

Many studies say that there are five to 10 bugs (albeit not all security holes) per 1,000 lines of code in the average program. No matter how hard you try to get rid of them, no amount of testing can beat every hacker in the world banging on your program. Just ask David LeBlanc, chief software architect for Webroot Software. He is the co-author of the best-selling book Writing Secure Code and was a leading security architect at Microsoft for six years.

David is a geek’s geek. When he starts talking about buffer overflows and how to prevent them, not many people argue -- he knows his stuff. During his tenure at Microsoft, he was instrumental in getting the company truly focused on more secure coding. The results of his efforts can be seen in Microsoft Office (been bothered by a macro virus lately?), Windows Server 2003, and IIS 6.0. Analysts have lauded all of them for their overall security and reliability, especially when compared to previous versions of the same.

David is passionate about secure coding. He taught Microsoft programmers how to write securely and gave them tools and methodologies to help. The process involved education, self review, peer review, team review, external review, and automated security tools. But try as he might, David couldn’t prevent all coding mistakes and buffer overflows.

This perplexed me a bit, because David’s as bright as they come. Working for Microsoft on a high-visibility product, he had senior management’s attention and support; and he had probably what comes as close to an unlimited budget as any of us will ever see in the private sector.

I asked David how those coding mistakes slipped by. Was it a lack of perfect tools, or was it human error?

As I should have guessed, he says both. Humans are ultimately to blame, but better tools would have helped when reviewing and approving the vast amount of code. There is just no way for a human being to catch every possible mistake that could go wrong with every line, especially when the coders are writing under a competitive deadline on complex software. That's where fuzzers can help.

A fuzzer is a software program or script designed to look for possible errors in a piece of programming code or script. The ultimate fuzzer would look for every input variable and try every possible allowable combination of input, hoping to find buffer overflows and unhandled coding errors. Fuzzers find most of the buffer overflows these days, and white- and black-hat hackers alike use them.

Professional bug hunters, such as eEye and Core Security Technologies (maker of penetration-testing tool Core Impact) find many of their bugs using fuzzers. A professional hacker friend of mine who works for the U.S. government (I’d tell you who he is, but then I’d have to kill you) agrees that fuzzing finds most of the bugs. He says fuzzers work so well that the hard part in writing a fuzzer is trying to give it intelligence, so it knows when it finds an error instead of relying on human intervention and observation.

There are many free fuzzers available on the Internet. For example, iDefense’s Filefuzz program lets you malform many different Windows file formats. SPIKEfile does the same thing for Linux files. The HTML Manglizer fuzzes HTML parsers. It was responsible for finding the Download.ject exploit (thanks to Karl Levinson for this one). Many fuzzers, such as Smudge, are written in scripting languages like Python.

With that said, even fuzzer-reviewed code will still contain mistakes, because fuzzers are written by humans and can implement only the mistakes that a human could possibly think of.

If you are in charge of coding anything, you need to program securely. Get educated in secure coding, follow a secure coding methodology, and consider using an automated program to help find the bugs. A good fuzzer might help. If you don’t use one, there's a good chance a hacker will.

Stay tuned -- I’ll have more details on my conversation with David LeBlanc in my next column.

E-mail

Printer Friendly

Reprints

Slashdot It!


	InfoWorld Test Center Contributing Editor Roger A. Grimes is a Foundstone Ultimate Hacking instructor/consultant teaching Windows, Linux, Unix, and Solaris security. • More of Roger A. Grimes' column Newsletter Check out all of our free newsletters! Enter e-mail address:

TOP NEWS:

» Antitrust review of Google-Yahoo deal no surprise
While serious antitrust problems are unlikely, both Google and Yahoo expected their partnership to be subjected to instense DOJ scrutiny

» Top 10: Coreflood, more Microsoft-Yahoo, iPhone plans
This week's wrapup of the top tech news stories includes more Microsoft-Yahoo rumors, iPhone updates, Flash searches, Oracle's BEA roadmap, and more

» Four 'important' Microsoft patches due Tuesday
Not rated "critical," fixes apply to "Elevation of Privileges" and "spoofing" bugs for Windows, Exchange, and SQL

» Judge grants RIM a stay in Visto patent trial
Trial delayed from beginning next week while patent office studies validity of certain parts of e-mail provider Visto's patents as requested by RIM

» Developers satisfied with Apple's enterprise work
Mac developers feel that Apple shouldn't try to make a broad attempt to win over enterprises and should instead focus on certain areas within the enterprise

» Opera patches multiple bugs in flagship browser
Opera 9.5.1 fixes several flaws, including one ranked 'highly critical'

Solutions to the Toughest IT Challenges in Remote Offices
Though small in size, remote offices face many of the same IT challenges as larger central offices. This Webcast zeroes in on the top line challenges to deliver information that can provide immediate benefits to your business. Sponsor: AMD and Dell

» Click here to view this Webcast

Zombie PCs Are Attacking Your LAN
A recent study showed that malware-infected zombie PCs are now a bigger threat to ISPs and Web infrastructure than DoS attacks. As this brand new IT Strategy Guide explains, an increased use of peer-to-peer techniques by the attackers has made it harder to fight back. Download now, compliments of Verio:

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Going mobile with today's technology - Mobile applications are transforming how companies operate. With new ways to work flexibly, employees are becoming more ...
Measuring mobile productivity - Companies must be able to measure productivity gains from mobile working. Productivity is notoriously difficult to measure...
Thinking about IMS - IMS's increased flexibility and the potential it offers for new services will create a fundamental shift in the way that...
Agile Development: 5 Steps to Continuous Integration - As more and more organizations adopt agile development, the need for continuous integration of a build can be a daunting...
Leading Analysts: Pen Testing is a Requirement - In a newly-published case study, Gartner's John Pescatore, one of the most respected analysts covering the IT security market...
Get more from your Electronic Software Delivery investment - Electronic software delivery (ESD) offers software vendors the potential for significant business benefits. By enabling ...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

FIND PRODUCTS AND COMPANIES

» COMPLETE PRODUCT GUIDE

TECHNOLOGY INDEX

• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
Symantec - Whitepaper: Secure, recover, and archive critical information Microsoft - {Open Source} Heroes Happen Here Symantec - Whitepaper: Protecting Microsoft(R) Applications Riverbed - Five Ugly Truths about WAFS and Caching InterSystems - Use Ensemble - quickly create composite applications. AT&T - Factors to consider when comparing DSL or Cable Cirba - Advanced Workload Analysis Techniques CA - Manage your IT more effectively. Efficient - Flexible - Compliant HP/Intel - If you don't have enough I/O, your VMs aren't going to go. Rackspace - Go Green Without Sacrificing Server Performance AT&T - Measuring mobile productivity AT&T - Thinking about IMS CA - Plan IT better, Manage IT better. AT&T - Refine your company's plan for a Business Disruption Event AT&T - Going mobile with today's technology Cirba - Consolidating Workloads onto Mainframes AT&T - What to expect from a Technology Assessment. AT&T - Class of Service: Myths and Misconceptions AT&T - Enhancing security through Quantum Cryptography		Riverbed - Wide Area Data Services Microsoft - Microsoft Forefront makes defending your systems easier. Learn how. HP - Explore the interactive whitepaper: Rightsizing Blades for the mid-market. Symantec - Webcast: Beyond AntiVirus AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor EMC - EMC and VMware help you build your virtualized infrastructure. AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - Speed, agility, flexibility - The HP BladeSystem c-Class. Vkernel - Resolve Capacity Bottlenecks and Enhance Your Virtual Environment Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist