Podcasts
Word Notes
Ep 28
Word Notes 12.15.20
Ep 28 | 12.15.20

fuzzing (noun)

Show Notes
Transcript

Rick Howard: The word is: fuzzing.

Rick Howard: Spelled: F as in FTP, U as in Unix, Z as in zero day, Z as in zombies, I as an intrusion detection, N as in nonrepudiation, and G as in GANU.

Rick Howard: Definition: An automatic software bug and vulnerability discovery technique that inputs invalid, unexpected and/or random data or fuzz into a program and then monitors the program's reaction to it.

Rick Howard: Example sentence: Fuzzing is about throwing random objects at a piece of software to see what breaks.

Rick Howard: Origin and context: According to Gerald Weinberg, author of the book "Perfect Software and Other Illusions about Testing," the idea of using random data to test programs has been around since the 1950s when programmers used discarded punch card decks taken out of the trash as input to their programs. In 1981, Joe Duran and Simeon Ntafos published a paper called "A Report on Random Testing." It argued for this kind of automatic investigation in conjunction with other formalized testing methods to find software errors. The software development community roundly criticized the paper because it didn't provide a formal and provable method. According to Andy Greenberg at Wired, by 1987, the situation hadn't got much better. Professor Barton Miller from the University of Wisconsin at Madison and his students developed the first purpose-built fuzzing tool to find software security flaws. The programming community didn't like his paper either in writing it because it didn't have a formal model. As the software tester community rejected the practice, security researchers and criminal hackers picked it up as a faster way to find software vulnerabilities that could be turned into exploits. This kind of work can be very lucrative. Today, according to Maria Karloff at CSO Magazine, brokers sell high value exploits or as high as two million dollars. The first step in finding those exploits is fuzzing.

Rick Howard: Nerd Reference: In Season 3, Episode 9 of Mr. Robot, Elliot, played by Rami Malek, realizes that the Dark Army has compromised his laptop. He wants to hack back to get access to their systems. He fires up a real-world fuzzer program called American Fuzzy Lop and points it at another real world program called Evince. Evince is a PDF reader that comes with many Linux operating systems. After finding a vulnerability in Evince, Elliot creates a malicious PDF that, according to Corey Nachreiner, the CTO of WatchGuard Technologies, contains some sort of shell code that will allow Elliot to take over any Linux computer and opens that file with Evince.

Word Notes
Podcast Info
HOST(S):
Rick Howard
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Tuesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Recorded Future
Recorded Future

Recorded Future delivers the world’s most technically advanced security intelligence to disrupt adversaries, empower defenders, and protect organizations. Subscribe to Recorded Future's weekly podcast, Inside Threat Intelligence, to go inside the world of cyber threat intelligence. Each week you'll hear stories from the trenches, details on established and emerging adversaries, and insights on the cyber security industry. Learn more.