Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Mar 2015 22:59:32 +0800
From: Kai Zhao <loverszhao@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: Any advice on how to fuzz john jumbo by AFL

Hi Frank, thank you for your rely.

> 1.8.0-jumbo-1 definitely had several issues.
> But after the 1.8.0-jumbo-1 release, I discovered and reported lots of
> such issues, and Jim fixed them all, IIRC.

It's amazing!

> I used Alexander's fuzzing scripts, or slightly modified versions of his
> scripts.
> So, I think, the situation is now (latest bleeding-jumbo) way better
> than it has been for 1.8.0-jumbo-1.

Would you please show me the Alexander's fuzzing scripts? Thank you.

On Sat, Mar 7, 2015 at 10:50 PM, Frank Dittrich <frank.dittrich@...lbox.org>
wrote:

> On 03/07/2015 02:30 PM, Solar Designer wrote:
> > On Sat, Mar 07, 2015 at 09:22:30PM +0800, Kai Zhao wrote:
> >> john jumbo is robust
> >
> > I wish this were the case, but it definitely is not.
> >
> > I'd like Alexander Cherepanov to comment on this, as he'd need to
> > (co-)mentor this project.  His custom fuzzer was spewing bugs in jumbo
> > before, and there's no indication we ran out of those - in fact, we
> > certainly introduced new bugs since then.
>
>
> 1.8.0-jumbo-1 definitely had several issues.
> But after the 1.8.0-jumbo-1 release, I discovered and reported lots of
> such issues, and Jim fixed them all, IIRC.
>
> See, for instance,
>
> https://github.com/magnumripper/JohnTheRipper/search?q=segfault&type=Issues&utf8=%E2%9C%93
>
> I used Alexander's fuzzing scripts, or slightly modified versions of his
> scripts.
> So, I think, the situation is now (latest bleeding-jumbo) way better
> than it has been for 1.8.0-jumbo-1.
>
> There might have been new bugs introduced meanwhile, and the GPU formats
> didn't get tested that much, so these might still have some more bugs,
> even though there was some effort to unify the CPU and GPU format
> implementations of valid(), prepare(), etc.
> Plus, LUKS format is probably still buggy, but there are more important
> things to be addressed for this format, see
> https://github.com/magnumripper/JohnTheRipper/issues/557
>
>
> Frank
>



-- 
loverszhaokai
motto:You got a dream and you gotta protect it.
github:https://github.com/loverszhaokai
blog:http://www.cnblogs.com/lovers/

Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ