[cryptography] [info] The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)

Seth David Schoen schoen at loyalty.org
Sun Mar 25 21:22:43 EDT 2012


ianG writes:

> On 26/03/12 07:43 AM, Jon Callas wrote:
> 
> >This is precisely the point I've made: the budget way to break crypto is to buy a zero-day. And if you're going to build a huge computer center, you'd be better off building fuzzers than key crackers.
> 
> point of understanding - what do you mean by fuzzers?

Automatically trying to make software incur faults with large amounts of
randomized (potentially invalid) input.

https://en.wikipedia.org/wiki/Fuzz_testing

If you get an observable fault you can repeat the process under a
debugger and try to understand why it occurred and whether it is an
exploitable bug.  Here's a pretty detailed overview:

https://www.blackhat.com/presentations/bh-usa-07/Amini_and_Portnoy/Whitepaper/bh-usa-07-amini_and_portnoy-WP.pdf

When it was first invented, fuzzing basically just consisted of feeding
random bytes to software, but now it can include sophisticated
understanding of the kinds of data that a program expects to see, with
some model of the internal state of the program.  I believe there are
also fuzzers that examine code coverage, so they can give feedback to the
tester about whether there are parts of the program that the fuzzer isn't
exercising.

-- 
Seth David Schoen <schoen at loyalty.org>      |  No haiku patents
     http://www.loyalty.org/~schoen/        |  means I've no incentive to
  FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150  |        -- Don Marti



More information about the cryptography mailing list