I think the spell checker got fuzzed
"attack service" or "attack surface" or did I miss the pun?
Google Project Zero's Windows bug-hunter and fuzz-boffin Tavis Ormandy has given the world an insight into how he works so fast: he works on Linux, and with the release of a personal project on GitHub, others can too. Ormandy's project is to port Windows DLLs to Linux for his vuln tests (“So that's how he works so fast!” …
Jargon that was new to me, so;
Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. If a vulnerability is found, a tool called a fuzz tester (or fuzzer), indicates potential causes. Fuzz testing was originally developed by Barton Miller at the University of Wisconsin in 1989.
I thought fuzzing started with Edsger Dijkstra and Goto Considered Harmful. Line noise resulted in the connection crashing, etc.
It really depends on what you are trying to do with fuzzing that will get results. Trying to do fuzzing on slow embedded systems, and it becomes an exercise in patience. Google AFL gets results because it's running over 40,000 iterations per second. A device I'm testing at work goes through two to three iterations per second. Sure, that adds up over time, but I have to temper my manager's expectations for the platform.
If a DLL can be isolated, then it's a great way to get results.
It was given a name in 1989 - many of us had been doing similar for many years before. I saw my first bit of what is now called fuzz testing in around 82 or 3 and it was written in coral 66 I believe. A colleague used it to test functions to see what would induce functions to blow up rather than to look for attack 'services'. When code, and systems took minutes or hours to get to a useful state catching shit like that was a lot easier than working out why a system was on its arse.
Sensible compilers make it a lot harder/redundant.
What if you're using a DLL which already runs in an isolated environment and therefor blocks certain system and function calls? The DLL might contain certain bugs, but its impact would be quite different on both environments. So I can't help wonder if you're not effectively slowing things down. While you might be able to spot bugs more quickly it also means you'd have to test them in the original environment as well so that you can rule out flaws in the testing itself and determine their true impact.
If you don't have access to the source code, you're left with either decompiling the software and/or running it in a debugger, laboriously reverse-engineering the software to see how it works and might be broken. That is a far slower process than running automated throw-it-at-the-wall-and-see-what-sticks sessions, and then checking out the interesting results.
But the point stands. What if the exploit is a gestalt, meaning it ONLY appears in a certain environmental combination and then becomes something greater than the sum of its parts? IOW, it's like planning for an emergency: the ONLY way to really know if the plan works is to have an emergency, with all the environmental factors that ONLY come from true emergencies.
it's like planning for an emergency: the ONLY way to really know if the plan works is to have an emergency
So are you saying that emergency planning is useless? In an emergency scenario it is absolutely crucial to have a good plan, and for the people on the ground to have practised that plan so nobody is doing anything stupid. The planning might not exactly meet the situation, but is generally close enough that people know what they should be doing.
Partly useless, because you can't fake PANIC. You can't fake a fire, and so on. Even the late Terry Pratchett noted it. IOW, unless people REALLY feel their life is on the line, they won't behave the same way during a drill than they will during an actual emergency. Practice isn't all you need, you ALSO need discipline: the ability to not panic when surprises DO come. Say detonate a flashbang once in a while nearby to condition people to react in desired ways.
"Partly useless, because you can't fake PANIC. You can't fake a fire, and so on"
I used to write business continuity software for the H&S department of a large company, they used to like to get everyone in the team involved in the planning of drills, I assure you it is possible to fake a fire (I have been the guy standing next to the main fire escape when the alarm goes off shouting "Im a fire, find another way out" - fun and made sure that people knew where more than one exit from the building was.
I was also involved when our datacenter experienced a "thermal event" that blocked an exit and no one panicked - Maybe it was the drills, maybe it was the fact that deep down everyone knew that after an hour in the sun on the car park that they were getting home early...
From my years in the US Navy, I can safely say that after drilling often enough that personnel responding to the real thing becomes pretty automatic. Case in point, one of our submarines rammed my destroyer while we were conducting an anti-submarine warfare exercise off the Philippines. The response time as per drills is to have the whole ship watertight in five minutes. Facing the real thing, we did it in a minute and twenty seconds. No alarms were sounded until after we had the whole, the bridge crew being a bit slow off the mark. Not their fault really as it's not every day you get rammed by a sub. Just that the whole ship did a shivering heel to starboard and everyone else figured out at least something wasn't right.
"Partly useless, because you can't fake PANIC."
If you repeatedly practice an emergency plan, there won't BE panic. That's the beauty of it. That's why the military spends so much time drilling. When something does happen, their subconscious immediately recognizes the situation and how to deal with it, instead of panicking. Sully Sullenberger wasn't an exceptional pilot (by his own reckoning), but he WAS a pilot who had repeatedly run through multiple-engine failure scenarios in simulators.
The military spends all that time doing 'things' so that they become muscle memory. E.g. reloading a magazine, counting the rounds you have fired, clearing a jam, fire control orders, target designation etc. Yes it makes you more efficient at these things but the main part is not having to think about it. It leaves your brain free to analyse the situation and make better decisions than you could if you were thinking about all the small details or what your hands are doing.
The same goes for fitness, train hard and fight easy. If you are blowing out of your arse you can't think straight.
Partly useless, because you can't fake PANIC.
Dear friend of mine had a stroke a few years back. Very severe one and only thanks to God he came through - neurologists and doctors said he could not possibly survive.
He was driving when he had his stroke. We'd been out seeing a mutual friend and left about the same time, so I was seconds behind him and saw it happen. Scary doesn't even come close when a dear friend's car starts accelerating and weaving wildly before (thankfully) hitting a parked car then veering off into someone's house. No one home so no one else hurt but a mess you cannot believe unless you see it for yourself.
I had not long before re-done first aid training, and also due to the work I'd done in the past (hazardous chemicals used in factory work) I'd had a number of safety and emergency courses. This was a very dear friend clearly with life-threatening injuries, let alone whatever incident caused the crash in the first place (no idea it was a stroke at the time).
Panic? No. Scared? You bet. But training. Lots of training. Automatics mainly maybe, but I was able to call emergency services, give suitable information on what had happened, and deal with the incident in a suitable manner, securing the scene as necessary (ie making sure that the car was off, it's battery wasn't shorting, and there was no gas leak from the damage to the house or obvious sign of electrical shock risk (NZ mains is 240v10a).
Training for emergencies means that people don't panic in these situations. If you're trained to cope, you're trained to cope full stop. Panic is lessened by the training even when it is a loved one because you know the right actions to take at the right time and you know how best to protect their life till other help arrives.
Jim survived, with marginal paralysis on his left side and some metal plates holding some bones together. Jim survived because the first person on the scene had basic first aid training and used his brains to be sure the area was safe first. Basic training means you don't panic, you know what is right. Lots of training means you can function largely on automatic, because you have repeatedly gone through the steps required.
To be fair to you, until Jim's stroke I used to think the same as you - you don't know how you'd react in a real situation until you're in a real situation. I discovered that training gives you the knowledge to do the right thing, and knowing what you're doing removes panic. And yes my life was potentially on the line as until I knew that the car and house were safe from explosion or electrocution, there was a risk that anything I touched could kill me.
Panic? That's what I feel when the car coming towards me starts to weave suddenly. Is someone having a medical event and what is the best action for me to take? Slamming on the brakes may mean I get hit by a vehicle from behind and pushed into the path of oncoming traffic where the person was only slapping at a fly, NOT hitting the brakes could mean the car is in trouble and swerves into me....
[Edit : Should've read further - others have covered this quite well, thanks to the various writers :) ]
"Say detonate a flashbang once in a while nearby to condition people to react in desired ways."
Pavlovian disaster drills?
Do you give a reward after the flashbang if they react in a desired manner? Will there be problems with excessive saliva at the scenes of real emergencies?
@Charles 9 "Partly useless, because you can't fake PANIC. "
Airline researchers figured out how to fake panic in aircraft cabins quite well. When they do evacuation simulations (to identify bottlenecks in exit procedures and so on) they offer a large cash bonus to everybody who was out in the first 10 seconds, half of that for those out in less than 20 seconds, a token monetary compensation if you were out in 30 seconds or less, and the rest get nothing. Volunteers were 'panicking' to get out because they had an incentive to do so.
"So are you saying that emergency planning is useless?"
Not useless, just not able to cope with every situation, I'm sure switching off the backup generator in the event of flooding had good sound reasoning, didn't go too well in reality though did it !!!
It is also the case that fuzzing is no panacea. Nevertheless, it often does uncover interesting results. I have used a form of fuzzing to test a cross compiler I worked on. One more tool in the toolkit, but a wise tester should use others as well.
The porting itself must take a lot of time, especially when there are many DLLs. I can't really see what the true advantages are. And then dwbugging something outside of its home environment must yet again add an overhead.
Admiteddly Linux has better and a mire extensive range of tools but many of them exist also on windows..
The article appears to be adding a bit of fluff.....
The most important tool is not the OS in any event, its the grey stuff between the ears.
He's talking about self- contained libraries for which is easier to emulate their working environment. You could do the same under Windows, if you need it, with no need to run the whole application. It looks also he knows little about the tools available under Windows (most good one are commercial), and I also guess he's taking advantage of many other people open source work, and that's easier under Linux.
It's always better to use what you know best, but this is also part of the ongoing Google FUD campaign against Microsoft, which looks increasing since Nadella decided to invade Google data slurping market with Windows 10.
He knows a lot more than you do, if he wasn't working for Google he'd probably be working for GCHQ, seems a bright chap.
- I thought the last time a lot of 'bright chap's worked for GCHQ was before it was called that, and during the draft....
'a matter of Internal Security, the age-old cry of the oppresser'
- Jean-Luc Picard - The Hunted
Dynamic link libraries provide a function table of explicitly exported functions to be at run time, where *nix uses shared objects. As a API library developer a dll enables me to hide private functions that are exposed in a .so file. The DLL export is simpler than the pimpl pattern for API development.
The news here is not that Windows defender has been "ported" but that DLLs are being loaded without WINE.
Well since you brought ARDDA in to it. Id like to represent the Association for Recreational Sewage Eating (ARSE) for balance, people like you are ruining an ancient and noble past time by polluting the sewage.
Also as a member of Federation Against Drano Gargling and Embibing (FADGE), I oppose everything ARDDA stands for. Recreational my foot. I, like many people think Drano Drinking should be regulated, taxed and sold in white packages with health warnings on the box. A photograph of gleaming pipes and freeflowing water should put the kids off. "This is what Drano does to pipes, what do you think its doing to you?".
Drano drinking scum should be kicked out of the country.
In fact I believe that ARDDA led directly to the Drano Acquisition Exploitation Shipping and Haulage organisation. Its not just a peaceful past time.
Ill be writing a strongly worded letter to my local United Kingdom Imbibing Police representative forthwith.
Biting the hand that feeds IT © 1998–2019