|
 Tests, ultimate frontier for securing code produced every day and night all over the world.
If only programmers could perform them. Instead, security researchers work day and night to check systems used every day by millions of users around the world releasing the necessary information to avoid users being abused by malicious files, be them programs or documents, which could deliver the keys to the system to an unknown attacker.
So, Code Testing? No, thanks, we're .. put here your favourite excuse for not performing for quality but for speed. so it's either you're too busy, suffer too much pressure, you're asked delivery for yesterday (this one very common indeed) or just you do not know or, worse, you do not care, in the
end it's not your job, you're not a security expert, you're just a programmer..but you're putting your users in trouble. And we wonder how long will it take for a legal action for claiming loss recovery to software firms responsible to deliver bugged code.
We're not talking about the say "standard" security tests. Security experts are now working with "fuzzers". Fuzzers are those kind of programmes/procedures that aid security testers in changing every single input which is supposed to be "fixed" in programmers' mind. .In fact, curiosity pushes researchers in changing the unchangeable. All fields that programmers consider "bound" or "fixed" just because only their program "usually" manages those fields, are normally changed for playing the "what if" game against all possible inputs. And that brings us to the next consideration. Input is not only "input". Input is an environment variable (Unix users know this VERY well), any non fixed (i.e. whatever delimited) part of the document which is interpreted by the software, and, in general every single variable containing data which can be altered from anybody, either offline or runtime.
So now fuzzers are actually helping researchers playing the "core dump made easy" game which can easily lead (not automatically, though) to an exploit.
Up to now we know of an internet browser fuzzer, which can test several ways to crash browsers, and more than one network fuzzers, which, by creating special crafted packets, test for resistance network drivers and applications.
This is the way how lately all these bugs in Office/(Internet)Explorer have been found and the way how wireless drivers have been exploited just because the wireless card was enabled.
Still, we do not know of any automated testing tool which could help checking for bugs in applications for which the file format is (almost) known.
Yet.
What security researchers have to pay attention to is that while looking for ways to help the community protect from intrusions, companies they're involuntarily helping may sue them for doing that.
Instead of thanking!
Can you believe that?
We cannot.
|
 |
Powered by a Zone-H(ified) version of AkoComment 3.0!
DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice. |
