SECURITY SEMINAR SERIES
||AUTODAFÉ: An act of software torture|
||Martin Vuagnoux, Ecole Polytechnique Fédérale de Lausanne|
||Tuesday, 28 September 2004, 16:45 (note later time!)|
||Lecture Theatre 2, William
In his 1950 paper "Computing Machinery and Intelligence", Turing
highlighted, for the first time, the risks of bad input validation in
software. The problem has not gone away. Buffer overflows, which account
for a third of the vulnerabilities discovered in the past decade, are
today the best studied example.
Automatic vulnerability-search tools have lead to an explosion in the
rate at which such flaws are discovered today. One particular technique
is fault injection, the insertion of random, atypical data into input
files or protocol packets, combined with monitoring memory violations.
Existing tools for this are still rather crude. Their success is more
testimony to the high density of flaws in fielded software than the
result of good test coverage. This talk presents a new optimized
approach for performing such "fuzzing" tests and will include a
demonstration of the "Autodafé" tool that implements it.