Mozilla and Blackberry have announced a new collaboration project; the two companies will begin working in tandem to more fully flesh out Peach – a free software fuzzing application first developed nearly a decade ago – for testing the security of web browsers.
In a post on its company blog by Michael Coates, Mozilla’s Director of Security Assurance, claims Mozilla has already been using Peach to fuzz a multitude of HTML5 features. Researchers have poked and prodded “image formats, audio/video formats, fonts, multimedia APIs like WebGL and WebAudio,” in both its flagship Firefox browser and its forthcoming Firefox OS, according to Coates.
Like Mozilla, Blackberry has incorporated fuzzing into its security infrastructure as well. While it doesn’t name Peach in particular, the company claims to regularly use “third-party fuzzers, in addition to its own proprietary fuzzing tools, static analysis and vulnerability research,” to test products, according to the blog.
Both groups report they’ll develop and implement advanced threat detection tools by using Peach and that they plan to share results from their fuzzes with the security community going forward.
“Security is an industry-wide challenge that cannot be solved in a vacuum, and that is why BlackBerry and Mozilla security researchers are working together to develop new and innovative tools for detecting browser threats,” Adrian Stone, Blackberry’s Director of Security Response and Threat Analysis said Tuesday.
First developed in 2004 by Michael Eddington at Seattle-based Déjà vu Security, Peach was initially used as a framework for creating fuzzes in Python. The fuzzer – now the most popular of its kind – has gone through several iterations since then, using XML and Microsoft’s .NET framework. Peach’s latest version, Peach 3, was released in January and can be run on Windows, Linux and OS X.
Security researchers use fuzzers in software testing for fault injection, the injection of unexpected or malformed data into an application’s code path. Fuzzers help security researchers identify flaws, or faults in the code if the application can’t handle the data and the fuzzing results in a series of errors.
Mozilla also used the blog entry as an opportunity to discuss Minion, a new security testing platform it expects will take “a different approach to automated web security testing.” The free and open source platform apparently keeps the amount of information it generates to a minimum, making it easier for developers to analyze their research.