Looking Back at Three Months of afl-fuzz (opens in new tab)

(lcamtuf.blogspot.com)

76 pointshnmcs11y ago9 comments

9 comments

8 comments · 3 top-level

skrebbel11y ago· 3 in thread

> Since then, afl-fuzz helped to squash hundreds of bugs, in part due to a community of folks who found the tool to be fun to use.

I wonder whether a tool as unexpectedly successful as this presents the security community with a weird dilemma: If so many people have begun to use afl-fuzz, find problems, and report them, can't we expect that just as many people find problems and don't report them?

Now, my security expertise goes as far as "don't roll your own", so maybe all the bugs found were, in practice, relatively difficult to exploit. But could afl-fuzz have helped scores of blackhatters to find and abuse the next shellshocks? If so, in hindsight, was it actually a good move to release afl-fuzz so openly and enthusiastically?

vezzy-fnord11y ago

I don't see why you're singling out afl-fuzz when you can say the exact same thing for every automated penetration testing tool.

There's scores of Linux distributions dedicated to bundling as many security-related scripts as possible. If we're going to be talking about "utility to blackhatters", there's plenty of tools that have been around for longer and have been far more influential.

skrebbel11y ago

I'm singling out afl-fuzz because it seems to be so spectacularly successful. In fact, this blog post is all about how spectacularly successful it is. Maybe it isn't actually, compared to all those others tools I don't know about, but then maybe you could've just said that and skipped the sneering? I've been pretty forthcoming about my lack of security expertise, I'm just asking people like you an honest opinion.

1 more reply

saurik11y ago

Most automated penetration testing tools show what known vulnerabilities a target system has, and can help piece them together into a complete exploit: they do not find new bugs.

dantiberian11y ago· 2 in thread

I'd like to see the SQLite SQL statements, are there any links available?

practicalswift11y ago

These are the crashing statements:

  SELECT n()AND+#0;
  SELECT strftime()
  DETACH(SELECT group_concat(q));
  DROP TABLE IF EXISTS t0; CREATE TABLE t0(t);
  INSERT INTO t0 SELECT strftime();
  SELECT quote(t) FROM t0

See https://www.sqlite.org/src/info/fe578863313128 for the patch.

f-11y ago

Also SELECT c.* FROM (a,b) AS c;

616c11y ago

The more I have heard of this guy's work, the more disturbed I am by his skill, breadth, and depth in InfoSec.

Not to mention his insane CNC and robotics work. And that is just a freaking hobby to him.

https://duckduckgo.com/html?q=lcamtuf%20cnc

j / k navigate · click thread line to collapse