Forgot your password?
typodupeerror
Security Programming Linux

CERT Releases Basic Fuzzing Framework 51

Posted by timothy
from the this-field-cannot-be-left-blank dept.
infoLaw passes along this excerpt from Threatpost: "Carnegie Mellon University's Computer Emergency Response Team has released a new fuzzing framework to help identify and eliminate security vulnerabilities from software products. The Basic Fuzzing Framework (BFF) is described as a simplified version of automated dumb fuzzing. It includes a Linux virtual machine that has been optimized for fuzz testing and a set of scripts to implement a software test."
This discussion has been archived. No new comments can be posted.

CERT Releases Basic Fuzzing Framework

Comments Filter:
  • by Anonymous Coward

    Anything that you write that uses a regex you should beat on with some fuzzing logic, since they can tend to increase in computational time non-linearly, and next thing you know you got a DOS on your hands.

    TIP OF THE DAY for you FROM ME

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      This man speaks the truth. Just yesterday I had to deal with a Perl script whose execution time blew up once it had to process files larger than 1 KB in size. It'd work fine for 500-character files, but give it more than 1000 characters and the runtime would take over half an hour! (Yes, we had one user sit there and wait over 30 minutes for it to finish.)

      In the end, it was a poorly-written regular expression that was to blame. It was easy enough to fix, and we've since ditched the Indian team that develope

      • by h4rr4r (612664)

        You paid for cheap code and you got it. What did the pointy hair expect?

  • by gweihir (88907)

    And urgently needed. So far the CMU/CERT software I had a look at was pretty good....

  • bleh (Score:1, Informative)

    by Anonymous Coward

    Sort of like this [sourceforge.net]?

  • axfuzz (Score:5, Interesting)

    by shird (566377) on Thursday May 27, 2010 @09:48PM (#32371160) Homepage Journal

    in their whitepaper they referenced my 'axfuzz' tool I wrote years ago and even used a modified version of it in their testing. Hope they didn't judge me on that code, it was a pile of crap that I kept hacking together until it finally worked, with no thought to proper software design.

  • hmmm... (Score:3, Funny)

    by thatskinnyguy (1129515) on Thursday May 27, 2010 @10:16PM (#32371340)
    The worst case scenario is talking about worse case scenarios thinking about worse case scenarios and letting them possess you.
  • Linky? (Score:3, Informative)

    by Anonymous Coward on Thursday May 27, 2010 @10:55PM (#32371568)
    Oh FFS, you couldn't even link [cert.org] to the damn framework?
  • BFF? (Score:3, Insightful)

    by Fnord666 (889225) on Thursday May 27, 2010 @11:01PM (#32371618) Journal
    BFF? What an unfortunate choice of acronyms.
  • I propose that every website which handles private data (credit, ssn, health, etc) should be integrating these kinds of tools into normal test procedures, both in development and on production mirrored sites.

    Hear hear!

After an instrument has been assembled, extra components will be found on the bench.

Working...