Become a fan of Slashdot on Facebook


Forgot your password?
Security Linux

Targeted Fuzzing Is Improving Linux Security, Linus Torvalds Says ( 62

On the sidelines of announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds said fuzzing, which involves stress testing a system by generating random code to induce errors, is helping the community find and fix a range of security vulnerabilities. He wrote: The other thing perhaps worth mentioning is how much random fuzzing people are doing, and it's finding things. We've always done fuzzing (who remembers the old "crashme" program that just generated random code and jumped to it? We used to do that quite actively very early on), but people have been doing some nice targeted fuzzing of driver subsystems etc, and there's been various fixes (not just this last week either) coming out of those efforts. Very nice to see.
This discussion has been archived. No new comments can be posted.

Targeted Fuzzing Is Improving Linux Security, Linus Torvalds Says

Comments Filter:
  • This sound like an area where AI could be really helpful.
    • Well, this AI is doing a very bad job of impersonating Linus Torvalds. "Very nice to see"? Not a single swear word? No biting sarcasm? There's no way that's the real Linus.

    • by gweihir ( 88907 )

      No. It would be completely worthless. Unless you are talking strong AI, but that does not exist.

      • It would be worse than worthless. Any AI worth its salt would develop the same biases that human engineers develop and eventually decide that writing unit tests sucks. Only to eventalually hold down the delete key, albeit by submitting keypress events into the usb bus, until all the code was deleted. Finally then exiting with printf ("i quit")
    • Sounds like a rubbish test approach. Actually having a test analyst analyse your requirements to determine what the system should and shouldn't do will find more defects and improve your confidence in the overall product. This is just trying random shit with no concept of coverage.
  • by Anonymous Coward

    ..I thought "Targeted Fuzzing" was about growing pubic hair in designated patches.

  • by future assassin ( 639396 ) on Thursday October 19, 2017 @01:19PM (#55397697) Homepage

    drop some shrooms and mdma and PLUR your way to random code those security holes out while listening to 4 on the floor Techno.

    • drop some shrooms and mdma and PLUR your way to random code those security holes out while listening to 4 on the floor Techno.

      Daaaaaaz how its done, son!

  • Crashme (Score:5, Funny)

    by ArhcAngel ( 247594 ) on Thursday October 19, 2017 @01:24PM (#55397741)
    I use the crashme program to generate random code. Then I run it through Google translate and self publish on Amazon. Not a bad way to make a living.
    • Re:Crashme (Score:5, Funny)

      by sinij ( 911942 ) on Thursday October 19, 2017 @01:55PM (#55397999)
      I use crashme to generate random code, sprinkle it with various progressive words and submit it to gender studies journals. Apparently I am now a world-leading expert on sociolinguistic micro aggressions.
      • I used an RSS Reader to grab all of the headlines in the news, then used crashme to generate random code and then automatically publish on Twitter. Apparently made it to president of USA...
  • I see a lot of asks to fuzz test ICMP and TCP in hopes of finding application-layer issues in various high-level protocols. I see this as a giant waste of time. Am I wrong?
    • by Anonymous Coward

      Definitely Not. Fuzzing can expose incomplete Error Handling or a Lack of validation. All of which are potentially exploitable for Cyber attack.

      • by sinij ( 911942 )

        I get the idea behind it, but shouldn't it be targeting application layer instead of lower layers?

        • by Sique ( 173459 )
          Depends on what you are testing. Fuzzing should target the layer you are interested in. If you want to test the application layer, then you have to make sure that at least the IP part of your fuzzed packets is correct, so your packets actually reach the application.

          If on the other hand you are testing the ethernet driver, you could try to send random bits instead of ethernet frames to the interface.

    • Am I wrong to hang fuzzy dice from my ICBM?
  • by Anonymous Coward

    Only 381 Linux Kernel CVE's so far this year. To date, that is 164 more than last year, and by far the greatest number found. 166 code executions found this year, which is more than 8 times all other years COMBINED.

    Granted, most of that is on the Android side of things. But at this point, there is more than 1 vulnerability in the linux Kernel found every day, and a code execution found every other day.


  • fuzzing works. (Score:5, Interesting)

    by OFnow ( 1098151 ) on Thursday October 19, 2017 @02:00PM (#55398033)

    As maintainer of a small open source library and program I have benefitted immensely from the efforts of a small number of volunteers running fuzzing programs and using Address Sanitizer to locate bugs in the code I maintain. These volunteers have found bugs and reported them and provided testcases useful for regression testing. I am profoundly grateful to these folks.

    • by godrik ( 1287354 )

      Any chance you have some pointers on how to do fuzzing correctly? Could be fun to use some of that in testing students code to point out mistakes early on.

      • by Anonymous Coward

        Just use Common Sense. Flip Bits in integer fields, Insert random crap into String fields, Feed too Long Strings, Feed excessively large Data sets, etc etc.

        Run your Code in valgrind while doing so.

      • Re:fuzzing works. (Score:5, Informative)

        by phantomfive ( 622387 ) on Thursday October 19, 2017 @03:14PM (#55398531) Journal
        The answer is lots and lots of random input. If you just start injecting random data into a field, you'll find a lot.

        The difficult part is that you want the random data to get past the initial sanity checks. To do that, you need to have relatively deep knowledge of the thing you are fuzzing. That is why automated fuzzing tools tend to be a bit frustrating.
      • by blueg3 ( 192743 )

        Use afl [].

      • by Ace17 ( 3804065 )
        This is surprisingly easy to find crashes using dumb fuzzing (you can look at "radamsa"). To get more accurate results, you can use American Fuzzy Lop, which guides the fuzzing using live coverage information.
      • Incidentally, there has been some good work on improving the quality of fuzzing []. In the future we may have fuzzing tools that use genetic algorithms to modify the input and get as deep into the program as they can. I don't know of any tools that have incorporated this yet, but it's an area worth paying attention to.
      • For C code, you can use clang's built in fuzzer []. With clang's other sanitizers checking that you aren't triggering any other undesirable behaviour.
  • Back in the 70s when there were various mini computer manufacturers each with their own architecture. I worked for one of those, and we tested our code. I don't think anybody did deliberate 'fuzzing' (though I do believe a concept kinda like that was talked about.) But some pretty hairy bugs were found by accident. People making typos when trying to enter legitimate commands, that kind of thing.

  • A good use for systemd

"For a male and female to live continuously together is... biologically speaking, an extremely unnatural condition." -- Robert Briffault