A while back I was chatting with someone at INFILTRATE, over fried
alligator and more alcohol than I probably should have imbibed, and he
said, "We're going to make fuzzing obsolete, because we have more CPUs on
the problem than anyone can reasonably duplicate, and we're going to
exhaust the space".
And it's PLAUSIBLE in a way. I've watched a few of the live streams that
Brandon Falk does, and you can see how like, for a certain subset of
problems throwing more CPU and Power than Zeus at the fuzz problem might
actually drain the oceans we all swim in.
But lots of plausible stuff is still dead wrong. I spun up a private fuzzer
a few weeks ago with some random test harness and popped a bug[1] in a
popular browser almost by mistake. Now I'm spending hours and hours pouring
over C code trying to find the root cause so I can control it, which since
I am so out of practice is not unlike a coal locomotive trying to drive
down one of the new Boring Company tunnels, coughing black oily smoke all
over those shiny white Teslas. How do you install Ctags again?
If you're bored, this Sunday, or any Sunday, you can watch this talk on
CONOPS I put together, after spending too much time reading bad cyber
policy papers: https://youtu.be/6l28f_x54gM . It might be related, it might
not. The world is unknowable, like the results of a fuzzer.
Some part of all of this is a lesson that when it comes to bug finding,
it's not only ok to be different - to be from a different era, or to think
in a different way - it's almost required. Team BigCorp can spin up all the
VMs in the world, and if they don't love the same bugclasses you do, they
will have optimized away from finding the bugs you find.
Also, I want everyone to help publicize this so we can change the world for
the better, even if just a bit. Send it to your friends! Think of cool
things to do with it!
https://twitter.com/NSPFoundation/status/1379849502199144449?s=20
-dave
[1] a3ca63d4929c08a18c4418e039557e6d lol, I had trouble getting this hash
but in the process found out it hits the default Windows 10 Home (not Pro,
because Dwizzle hasn't sent me that yet) as well.