On 2017-10-16 12:16:49 +0000, Simon Clubley said:
> The Linux developers use fuzzing as a testing method...
VSI has to finish the x86-64 port with the production release arriving
circa 2020, and work to secure and to authenticate and to
upgrade-to-current and otherwise contend with the known problems and
known limitations (ftp, telnet, DECnet, down-revision network services,
certificate-handling, libtls and/or libsodium and/or other APIs for
secure transport and distributed authentication, getting security
reporting launched, implementing telemetry,
https://github.com/icing/mod_md and/or additional ACME support,
expunging known-insecure protocols and CDSA, etc), and around the VSI
management and development team and ISVs and end-user developers all
becoming more familiar with modern threats and environments and
attacks, all before expending any particular effort on rummaging for
more problems.
Yes, I'd certainly expect to see fuzzing used and be useful, but I'd
make a very substantial wager that the team at VSI presently doesn't
presently need to go looking for yet more work and for yet more
security-relevant work.
There are various fuzzers around, including for APIs and network
protocols and file formats, and those that target specific
architectures almost always target x86-64.
http://lcamtuf.coredump.cx/afl/ Etc. But if you're running a
down-revision network stack with known holes in (for instance) tcpdump
or Apache or otherwise, why bother rummaging for yet more bugs?
If you're interested in what sorts of files can be handed to some apps,
ponder what could have happened secondary to some proposed changes to
the SVG format:
https://www.w3.org/TR/2004/WD-SVG12-20040510/#rawsocket
— other sorts of documents are increasingly routinely executable, too.
From some of the other replies...
BTW and IIRC, Mr Reagan once broke Pascal by installing it on a VAX
9000, with the compiler crashing ~one compilation out of three.
And while on the subject of Pascal:
https://dubst3pp4.github.io/post/2017-10-03-why-i-use-object-pascal/
--
Pure Personal Opinion | HoffmanLabs LLC