Date: Sun, 7 Jun 2015 17:47:14 +0300 From: Solar Designer <solar@...nwall.com> To: john-dev@...ts.openwall.com Subject: Re: Fuzzing Report on hashes Kai, Thank you for posting this! On Sun, Jun 07, 2015 at 10:32:20PM +0800, Kai Zhao wrote: > The fuzz.pl script mutates hashes based on the test cases in the source > code. There are 4 methods in fuzz.pl to mutate hashes. ... and more should be added, in particular replacing chars not only with '9' and '$', but also with '*' and '#' as suggested by Frank (trivial to add). And detection of false positives should be added. > I have analyzed the samples from Solar's fuzzing. There are 8 bugs. > I have submitted these bugs to jumbo. I've skimmed over the GitHub issues you created. These mostly look right to me (although I would have used more descriptive names for some of them). There's, however, a major omission: you didn't create any issues for the false positives. This is probably two issues: http://www.openwall.com/lists/john-dev/2015/06/07/2 You could want to revise your fuzzing to detect false positives too. Both with fuzz.pl and afl. > https://github.com/magnumripper/JohnTheRipper/issues/1384 > https://github.com/magnumripper/JohnTheRipper/issues/1385 These two division by zero possibilities for r=0 and p=0 are both already fixed in the current yescrypt code. We just need to update. > There are 20 bugs found by afl. I have submitted them to jumbo. > > https://github.com/magnumripper/JohnTheRipper/issues/1392 > to > https://github.com/magnumripper/JohnTheRipper/issues/1412 Isn't this 21 issues? 1412-1392+1 = 21 > command_line : afl-fuzz -m none -i input_cases/ -o out/ ../../john @@ > --nolog --skip-self-test You could want to enhance this with --session and --pot pointing to files on a tmpfs mount, and run multiple processes at a time (I don't know how this is done with afl; you should know) with different session files for each concurrent child process. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.