Word Notes 12.15.20
Ep 28 | 12.15.20

fuzzing (noun)


Rick Howard: The word is: fuzzing.

Rick Howard: Spelled: F as in FTP, U as in Unix, Z as in zero day, Z as in zombies, I as an intrusion detection, N as in nonrepudiation, and G as in GANU.

Rick Howard: Definition: An automatic software bug and vulnerability discovery technique that inputs invalid, unexpected and/or random data or fuzz into a program and then monitors the program's reaction to it.

Rick Howard: Example sentence: Fuzzing is about throwing random objects at a piece of software to see what breaks.

Rick Howard: Origin and context: According to Gerald Weinberg, author of the book "Perfect Software and Other Illusions about Testing," the idea of using random data to test programs has been around since the 1950s when programmers used discarded punch card decks taken out of the trash as input to their programs. In 1981, Joe Duran and Simeon Ntafos published a paper called "A Report on Random Testing." It argued for this kind of automatic investigation in conjunction with other formalized testing methods to find software errors. The software development community roundly criticized the paper because it didn't provide a formal and provable method. According to Andy Greenberg at Wired, by 1987, the situation hadn't got much better. Professor Barton Miller from the University of Wisconsin at Madison and his students developed the first purpose-built fuzzing tool to find software security flaws. The programming community didn't like his paper either in writing it because it didn't have a formal model. As the software tester community rejected the practice, security researchers and criminal hackers picked it up as a faster way to find software vulnerabilities that could be turned into exploits. This kind of work can be very lucrative. Today, according to Maria Karloff at CSO Magazine, brokers sell high value exploits or as high as two million dollars. The first step in finding those exploits is fuzzing.

Rick Howard: Nerd Reference: In Season 3, Episode 9 of Mr. Robot, Elliot, played by Rami Malek, realizes that the Dark Army has compromised his laptop. He wants to hack back to get access to their systems. He fires up a real-world fuzzer program called American Fuzzy Lop and points it at another real world program called Evince. Evince is a PDF reader that comes with many Linux operating systems. After finding a vulnerability in Evince, Elliot creates a malicious PDF that, according to Corey Nachreiner, the CTO of WatchGuard Technologies, contains some sort of shell code that will allow Elliot to take over any Linux computer and opens that file with Evince.