Hacker News new | past | comments | ask | show | jobs | submit login
Looking Back at Three Months of afl-fuzz (lcamtuf.blogspot.com)
76 points by hnmcs on Jan 25, 2015 | hide | past | favorite | 9 comments



> Since then, afl-fuzz helped to squash hundreds of bugs, in part due to a community of folks who found the tool to be fun to use.

I wonder whether a tool as unexpectedly successful as this presents the security community with a weird dilemma: If so many people have begun to use afl-fuzz, find problems, and report them, can't we expect that just as many people find problems and don't report them?

Now, my security expertise goes as far as "don't roll your own", so maybe all the bugs found were, in practice, relatively difficult to exploit. But could afl-fuzz have helped scores of blackhatters to find and abuse the next shellshocks? If so, in hindsight, was it actually a good move to release afl-fuzz so openly and enthusiastically?


I don't see why you're singling out afl-fuzz when you can say the exact same thing for every automated penetration testing tool.

There's scores of Linux distributions dedicated to bundling as many security-related scripts as possible. If we're going to be talking about "utility to blackhatters", there's plenty of tools that have been around for longer and have been far more influential.


I'm singling out afl-fuzz because it seems to be so spectacularly successful. In fact, this blog post is all about how spectacularly successful it is. Maybe it isn't actually, compared to all those others tools I don't know about, but then maybe you could've just said that and skipped the sneering? I've been pretty forthcoming about my lack of security expertise, I'm just asking people like you an honest opinion.


Yes it was. It's safe to assume the "bad guys" have this stuff already, now the public gets to catch up.


Most automated penetration testing tools show what known vulnerabilities a target system has, and can help piece them together into a complete exploit: they do not find new bugs.


The more I have heard of this guy's work, the more disturbed I am by his skill, breadth, and depth in InfoSec.

Not to mention his insane CNC and robotics work. And that is just a freaking hobby to him.

https://duckduckgo.com/html?q=lcamtuf%20cnc


I'd like to see the SQLite SQL statements, are there any links available?


These are the crashing statements:

  SELECT n()AND+#0;
  SELECT strftime()
  DETACH(SELECT group_concat(q));
  DROP TABLE IF EXISTS t0; CREATE TABLE t0(t);
  INSERT INTO t0 SELECT strftime();
  SELECT quote(t) FROM t0
See https://www.sqlite.org/src/info/fe578863313128 for the patch.


Also SELECT c.* FROM (a,b) AS c;




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: