Respect The Fuzzer

This image from Charlie Miller’s CanSecWest presentation (credit InfoSec Events) shows how a small home-brewed fuzzing tool found multiple exploitable vulnerabilities in Apple’s Preview, Microsoft’s PowerPoint and OpenOffice. At the Pwn2Own contest, all the vulnerabilities used in the winning exploits were found via fuzz testing, a technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails, the crashes can point to software defects and vulnerabilities. It is clear that software vendors — even the big ones that already do internal fuzzing — must do a better job of fuzzing to kill as many bugs as possible before software products hit the market.