Several status updates
I think it's time for some status updates from the Fuzzing Project.
In a few days I'll be at the 31C3 congress in Hamburg. I'll have a short lightning talk about the Fuzzing Project there. I'll also be at Real World Crypto a few days later in London. Of course I'm always happy to discussing fuzzing efforts or other IT security related issues.
The webpage now has a three part tutorial covering zzuf, Address Sanitizer and american fuzzy lop. I hope it helps to teach more people how to find bugs and security issues.
Recently I could move two applications from the "work in progress" category to the "ok" category: elfutils and unrtf. For both of them it was easy to fuzz issues a few weeks ago, but their developers did a good job in fixing all issues I reported. They recently released new versions with all the fixes applied.
I'm regularly trying to find and report more fuzzing-related issues, lately for example in file/libmagic, flac, nasm and ndisasm. mkvtoolnix (libebml and libmatroska), poppler, libwpd.
I'm glad to see that the topic seems to gain more attention. I start to see fuzzing-related fixes mentioned in changelogs of various software projects.
While in many cases reported issues get fixed quickly and we get better software there are a few projects I find worriesome. This includes unzip which is a widely used zip unpacking code. Just by looking at their forum you'll find various memory corruption issues, some of them reported years ago, that have not seen a fix in a release. Recently oCERT released an advisory with three security vulnerabilities found by Google, still no fixed version. I'm also still waiting for any reply from the less developers to my recent report about an out of bounds memory access issue. They released a new version in the meantime, it doesn't contain a fix.
PDF rendering is generally known to be a security sensitive area. Given that it makes me feel uneasy that there is a large number of memory access bugs reported in their bug tracker and no sign of any effort to fix them.
In a few days I'll be at the 31C3 congress in Hamburg. I'll have a short lightning talk about the Fuzzing Project there. I'll also be at Real World Crypto a few days later in London. Of course I'm always happy to discussing fuzzing efforts or other IT security related issues.
The webpage now has a three part tutorial covering zzuf, Address Sanitizer and american fuzzy lop. I hope it helps to teach more people how to find bugs and security issues.
Recently I could move two applications from the "work in progress" category to the "ok" category: elfutils and unrtf. For both of them it was easy to fuzz issues a few weeks ago, but their developers did a good job in fixing all issues I reported. They recently released new versions with all the fixes applied.
I'm regularly trying to find and report more fuzzing-related issues, lately for example in file/libmagic, flac, nasm and ndisasm. mkvtoolnix (libebml and libmatroska), poppler, libwpd.
I'm glad to see that the topic seems to gain more attention. I start to see fuzzing-related fixes mentioned in changelogs of various software projects.
While in many cases reported issues get fixed quickly and we get better software there are a few projects I find worriesome. This includes unzip which is a widely used zip unpacking code. Just by looking at their forum you'll find various memory corruption issues, some of them reported years ago, that have not seen a fix in a release. Recently oCERT released an advisory with three security vulnerabilities found by Google, still no fixed version. I'm also still waiting for any reply from the less developers to my recent report about an out of bounds memory access issue. They released a new version in the meantime, it doesn't contain a fix.
PDF rendering is generally known to be a security sensitive area. Given that it makes me feel uneasy that there is a large number of memory access bugs reported in their bug tracker and no sign of any effort to fix them.