Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Programming Linux

CERT Releases Basic Fuzzing Framework 51

Posted by timothy from the this-field-cannot-be-left-blank dept.
infoLaw passes along this excerpt from Threatpost: "Carnegie Mellon University's Computer Emergency Response Team has released a new fuzzing framework to help identify and eliminate security vulnerabilities from software products. The Basic Fuzzing Framework (BFF) is described as a simplified version of automated dumb fuzzing. It includes a Linux virtual machine that has been optimized for fuzz testing and a set of scripts to implement a software test."
This discussion has been archived. No new comments can be posted.

CERT Releases Basic Fuzzing Framework More

CERT Releases Basic Fuzzing Framework

Comments Filter:

  • bleh (Score:1, Informative)

    by Anonymous Coward on Thursday May 27, 2010 @09:20PM (#32370980)

    Sort of like this [sourceforge.net]?

  • Linky? (Score:3, Informative)

    by Anonymous Coward on Thursday May 27, 2010 @10:55PM (#32371568)
    Oh FFS, you couldn't even link [cert.org] to the damn framework?

  • Re:Fuzzing is only useful, if only moderately so (Score:3, Informative)

    by mr_mischief ( 456295 ) on Friday May 28, 2010 @05:03AM (#32373166) Journal

    $ time /usr/local/bin/perl -we'("a" x 100) =~ /(a*)(a*)(a*)(a*)(a*)(?i:b)/'
    37.00user 0.01system 0:37.81elapsed 97%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+438minor)pagefaults 0swaps

    $ time /usr/local/bin/perl -we'("a" x 10) =~ /(a*)(a*)(a*)(a*)(a*)(?i:b)/'
    0.00user 0.00system 0:00.00elapsed 75%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+438minor)pagefaults 0swaps

    For a purposely selected pathological case on a Pentium M 1.6 GHz laptop with little free RAM, I'd say that's not bad for a system that has specifically been chosen to support grouping, alternation, backreferences, conditional changes (case sensitivity, prematch, postmatch, etc) on only parts of the expression, greediness and nongreediness, lookahead, and lookbehind. Perl "regular expressions" are definitely not actually regular.

    That's perl 5.12.0 BTW, which is much improved over older series (pre 5.10 anyway) of perl systems regarding regexes.

    Note that if you're okay with intentionally trying and failing to get a case-sensitive rather than case-insensitive 'b' after your pathological quantifiers on the 'a' characters, then you have no such time problem.

    $ time /usr/local/bin/perl -we'("a" x 100) =~ /(a*)(a*)(a*)(a*)(a*)(?:b)/'
    0.00user 0.00system 0:00.00elapsed 80%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+428minor)pagefaults 0swaps

    $ time /usr/local/bin/perl -we'("a" x 1000000) =~ /(a*)(a*)(a*)(a*)(a*)(?:b)/'
    0.00user 0.00system 0:00.00elapsed 85%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+673minor)pagefaults 0swaps

    $ time /usr/local/bin/perl -we'("a" x 1000000000000) =~ /(a*)(a*)(a*)(a*)(a*)(?:b)/'
    0.00user 0.00system 0:00.00elapsed 80%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+426minor)pagefaults 0swaps

    I'm sure the p5p would welcome a patch that delivers the promised matching semantics without performing so poorly on pathological cases.

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close