[Dailydave] The difference between block-based fuzzing and AFL

[Dave Aitel]

So let's take a quick break from thinking about how messed up Wassenaar is
or what random annoying thing the EFF or ACLU said about 0day today and
talk about fuzzers. AFL has everyone's mind share, but I you have to point
out that it is still a VERY specialized tool.

The process of taking a file, sending it into some processing unit, and
then figuring out if it crashes, sounds easy and generic. But in practice
you have to carefully optimize how you do it to get any kind of speed and
effectiveness out of it.

This is another thing about the Cyber Grand Challenge: I think they
optimized the problem set in a way using that limited system call VM for
AFL-like fuzzers. I'm just going to assume none of the problem sets were a
complex RPC-like protocol, because we would have seen zero people solve
them and DARPA knows that.

What I mean is this: It is very hard to optimize the block-based fuzzing
technique for automation. But they solve two completely different types of
problems.

AFL-like fuzzers excel at files for one reason: Files don't do computation.
SPIKE-like fuzzers excel at protocols because they are there to handle
challenge responses, size-fields, checksums, encryption, and other things
common in network protocols. There's also minor differences in how they
handle mutation. And of course, in many cases a SPIKE-like fuzzer is EASIER
to set up and use than something like AFL, with less problem-optimization
needed for valuable results.

But still, no comparison of a file-fuzzer to a block-based or protocol
fuzzer (PEACH/SPIKE/CODENOMICON) is going to be apples to apples. It's more
like apples to dragons.

-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160913/e0856cbd/attachment.html>