Another open source fuzzing toolkit update was released today, the “Peach Fuzzing Platform v2.0″.
Fuzz. As in Peach. Ha!
Anyways, how does fuzzing effect the security of one’s computer? Directly, it does not. Indirectly, it does.
Fuzzing an application or service is the process of introducing malformed and unexpected input, often in combination with expected input, to an application consuming data. This process can identify bugs or flaws in software, and lead to the identification of buffer overflows, format string errors. Once these bugs are uncovered, determined individuals may sometimes write code to exploit these bugs. Not all bugs are exploitable.
The easier, more open and popular it is to fuzz applications, the more likely it is that vulnerabilities are found in applications. The frequent hotfixes and updates that Microsoft releases to patch the vulnerabilities in their OS and browser software sometimes are found by individuals performing fuzz testing (and, most likely, some amount of reversing). Rumor has it, the largest fuzzing project in the history of software development was performed by the Microsoft developers and security teams themselves over the past couple of years on their own compiled code.
The Peach platform can fuzz data consumers of many types, including file format parsers, network services, third party plugins like those from Quicktime and Adobe, most any software.
ImmunitySec and Dave Aitel has been releasing this sort of software for years, with SPIKE, SPIKE proxy, and Sharefuzz.
What do our readers think of ethical hacking, exploit development and the spread of these sorts of tools? Please post a comment if you have an opinion on the subject. We’d love to hear from you.