Fuzzed Enough? When Itís Ok To Put The Shears Down presented at BlueHat 2008

by Jason Shirk ( Microsoft ), Lars Opstad ( Microsoft ), Dave Weinstein ( Microsoft ),

Tags: Security

Summary : This is a multi-part presentation shared between members of the SWI Tools team, discussing several aspects of Fuzzing: ìHow should I fuzz? When have I fuzzed enough? What do I do now that Iíve fuzzed?î
Jason Shirk will cover ìHow Should I Fuzz?î The SWI Tools team is responsible for providing tools across Microsoft to test for compliance with the SDL. Some areas, though important, are finite. Fuzzing approaches infinite numbers, types and methods of testing, and there is room (and necessity) for a number of tools. Certainly, not all fuzzers are created equal, but are their differences worse, or necessary? What should you look for in different types of fuzzers? What kind of commitment are you making when you chose a fuzzer? We will have completed the Fuzzing Olympics in time for this presentation, and I will make some comparisons between fuzzing models, and what weíve found to be true at Microsoft in a smart vs. dumb fuzzing battle. The merits of several approaches, without giving out the exact specifics of how we test, will be discussed. The presenters do not intend to repeat Charlie Millerís book here, but will show how it applies to software manufacturers, and discuss a type of blended approach to the space. Discussing approaches should then lead well into Larsís presentation.
Lars Opstad will cover: ìHow Much Do I Fuzz? When Have I Fuzzed Enough?î The SWI Tools team ran a large fuzzing effort recently for a major Microsoft product. By running millions of manipulations and iterations across many machines, we discovered some things about fuzzing. There is a point of diminishing returns for fuzzing: at this point, most of the fuzzing effort can be stopped. Some late returns can still find very important issues, so designating a box to fuzz ìforeverî isnít a bad idea. Indicators to use to determine when to decrease fuzzing depend on a number of factors, which will be covered in this presentation.
Dave Weinstein will cover: ìWhat Do I Do Now That Iíve Fuzzed?î