Respect The Fuzzer

This image from Charlie Miller’s CanSecWest presentation (credit InfoSec Events) shows how a small home-brewed fuzzing tool found multiple exploitable vulnerabilities in Apple’s Preview, Microsoft’s PowerPoint and OpenOffice.   At the Pwn2Own contest, all the vulnerabilities used in the winning exploits were found via fuzz testing, a technique that provides invalid, unexpected, or random data to the inputs of a program.

This image from Charlie Miller’s CanSecWest presentation (credit InfoSec Events) shows how a small home-brewed fuzzing tool found multiple exploitable vulnerabilities in Apple’s Preview, Microsoft’s PowerPoint and OpenOffice.   At the Pwn2Own contest, all the vulnerabilities used in the winning exploits were found via fuzz testing, a technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails, the crashes can point to software defects and vulnerabilities.  It is clear that software vendors — even the big ones that already do internal fuzzing — must do a better job of fuzzing to kill as many bugs as possible before software products hit the market.

Suggested articles

Slideshow: Scenes from Black Hat USA 2013

Scenes from this year’s hacking conference in Las Vegas, Nev. include a keynote by¬†General Keith B. Alexander, Director of the National Security Agency and talks by researchers Karsten Nohl and¬†Ralf-Phillip Weinmann.

Ryan McGeehan and Chad Greene

More from CanSecWest 2013

Pwn2Own, Pwnium Attract Dollars and 0-Days by the BushelGroundbreaking Cyber Fast Track Research Program EndingAt Pwn2Own, Browser Exploits Gett

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.