CERT Releases Basic Fuzzing Framework 51
infoLaw passes along this excerpt from Threatpost: "Carnegie Mellon University's Computer Emergency Response Team has released a new fuzzing framework to help identify and eliminate security vulnerabilities from software products. The Basic Fuzzing Framework (BFF) is described as a simplified version of automated dumb fuzzing. It includes a Linux virtual machine that has been optimized for fuzz testing and a set of scripts to implement a software test."
Re:Fuzzing is only useful, if only moderately so (Score:1, Interesting)
This man speaks the truth. Just yesterday I had to deal with a Perl script whose execution time blew up once it had to process files larger than 1 KB in size. It'd work fine for 500-character files, but give it more than 1000 characters and the runtime would take over half an hour! (Yes, we had one user sit there and wait over 30 minutes for it to finish.)
In the end, it was a poorly-written regular expression that was to blame. It was easy enough to fix, and we've since ditched the Indian team that developed the script. I think it's excessive, but our manager has now ordered a review of ALL the regexps in all of our scripts.
axfuzz (Score:5, Interesting)
in their whitepaper they referenced my 'axfuzz' tool I wrote years ago and even used a modified version of it in their testing. Hope they didn't judge me on that code, it was a pile of crap that I kept hacking together until it finally worked, with no thought to proper software design.
Re:bleh (Score:1, Interesting)
I wouldn't be so quick to automatically label researchers as professionals. If there is one place I've seen worse code than OSS, it would be in academia.
Bizarrely, this is also where I've seen the most brilliant code.