Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Fuzzing", Michael Sutton/Adam Greene/Pedram Amini

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Fuzzing", Michael Sutton/Adam Greene/Pedram Amini
Date: Mon, 14 Jan 2008 15:42:33 -0800 
BKFUZZNG.RVW   20071005

"Fuzzing", Michael Sutton/Adam Greene/Pedram Amini, 2007,
0-321-44611-9, U$54.99/C$68.99
%A   Michael Sutton
%A   Adam Greene
%A   Pedram Amini
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2007
%G   0-321-44611-9 978-0-321-44611-4
%I   Addison-Wesley Publishing Co.
%O   U$54.99/C$68.99 416-447-5101 fax: 416-443-0948 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321446119/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321446119/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321446119/robsladesin03-20
%O   Audience a+ Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   543 p.
%T   "Fuzzing: Brute Force Vulnerability Discovery"

In the foreword, H. D. Moore states that fuzzing is the submission, to
a system, of miscellaneous inputs in order to find vulnerabilities,
and that it is more art than science.

In the preface, the authors assert that, since it is important to have
as many people as possible finding vulnerabilities in our
applications, the book is written not only for researchers, but for
the general public and those with no background in the idea and
activity of fuzzing.

Part one provides background information and concepts.  Chapter one
outlines the three basic types of vulnerability discovery: white box,
utilizing source code and other developer materials; black box,
submitting inputs and observing the results; and gray box, using tools
such as disassemblers and debuggers.  A definition of fuzzing is
attempted in chapter two, discussing boundary values analysis
(submission of inputs that straddle the line between acceptable and
improper), but notes that fuzzing goes beyond this level of activity. 
There is brief mention of mutation-basing (modification of input
described as acceptable) and generation-basing (creation of test data
from the specification of the format).  Fuzzing methods are supposed
to be the topic of chapter three, but it generally lists different
types of programs (based on the types of applications they test). 
Different types of data representation are mentioned in chapter four. 
The requirements for successful fuzzing, discussed in chapter five,
are basically the best possible understanding of the system under
test, the ability to determine when an effect has been created, and
care in recording attempts and results.

Part two examines a variety of application target types, and the
automation of fuzzing activities.  Chapter six lists some tools, and
notes some factors in programming test generation programs. 
Subsequently, chapters follow a pattern of an initial discussion of a
specific category of intended quarry (environment variables and
arguments in chapter seven) and then automation of fuzzing for that
purpose (environment parameters in chapter eight).  The targets are
Web applications (nine and ten), file formats (eleven, with automation
for UNIX in twelve, and Windows in thirteen), network protocols
(fourteen, fifteen, and sixteen), Web browsers (seventeen and
eighteen), and in-memory fuzzing (nineteen and twenty).

Part three introduces advanced fuzzing technologies.  Fuzzing
frameworks, described in chapter twenty-one, are applications for
specifying formats and generating ranges of test and probe input data
to be used for submission to programs.  It is difficult to find a
consistent thread for chapter twenty-two, but the topic seems to have
something to do with general programmatic approaches that may have
promise for the automation of fuzzing.  While fuzzing can create
failures, and therefore note the existence of faults, in a program, it
cannot help us to identify vulnerabilities to be addressed unless we
can distinguish the part of the application that is responsible for
the malfunction.  Chapter twenty-three explores this idea under the
title of fuzzer tracking, or code coverage, and notes some of the
utilities that can be of assistance, but doesn't do a good job of
explaining the necessary functions and concepts.  Intelligent fault
detection, in chapter twenty four, is related to the material in
twenty-two, although on a more generic level.

Part four is a kind of summary, with "Lessons Learned" (and the
potential for the use of fuzzing in software development) in chapter
twenty-five.  The title "Looking Forward," in twenty-six, would
normally lead the reader to expect some examination of future
directions, but instead there is a list of some advanced fuzzing
programs to close off the book.

This work does delineate the concepts involved in probing and testing
of software through random or semi-random input submission.  For those
managing the software development process, these ideas are helpful,
although the book may seem a trifle long to that audience.  For those
more directly involved in testing, the text may seem frustrating at
times: either simplistic, for experienced testers, or not detailed
enough, for quality assurance people just getting started in technical
explorations.  Still, this is the most complete volume in the field so
far, easily exceeding Beaver's "Hacking for Dummies" (cf.
BKHACKDM.RVW), Chirillo's "Hack Attacks Testing" (cf. BKHKATTS.RVW),
or "The Software Vulnerability Guide" (cf. BKSWVLGD.RVW).  Andrews'
and Whittaker's "How to Break Web Software" (cf. BKHTBWSW.RVW) has a
higher level of writing, but is more specialized, so Sutton, Greene,
and Amini have provided a useful and more general guide.

copyright Robert M. Slade, 2007   BKFUZZNG.RVW   20071005


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
Do not fold, spindle or mutilate - originated by Charles A. Phillips
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Fuzzing", Michael Sutton/Adam Greene/Pedram Amini, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] Security awareness and training links and resources, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Date:  [CISSP-D] Going for CISSP Exam, saurabh sood
Previous by Thread:  [CISSP-D] Security awareness and training links and resources, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Thread:  [CISSP-D] Going for CISSP Exam, saurabh sood
Indexes:  [Date] [Thread] [Top] [All Lists]