Making Software Dumber presented at BlueHat 2009

by Tavis Ormandy (Google), Neel Mehta (Google),

Tags: Security

Summary : We describe our experience with a system designed to select optimal input seed candidates for software fuzz testing from large sample corpora with minimal initial investment of effort. Model inference-assisted fuzzing has excelled at identifying vulnerabilities in software parsing highly structured input data; we describe how to achieve comparable results without the requisite grammar and at far reduced setup cost. Our technique applies set cover minimization to sample corpora, combined with feedback-driven mutation using a new technique we call sub-instruction profiling. We will demonstrate how we used this technique to uncover multiple vulnerabilities in Windows.
(The title is derived from the observation that major research into fuzzing is leaning towards making fuzzers more intelligent, and giving them greater understanding of the protocol and target they're attacking. We argue that this is the wrong direction, and demonstrate how software can be made "dumber" generically, essentially making very naive fuzzing as effective as more expensive [in terms of development effort] fuzzers).