Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Nov 2014 18:01:13 -0800
From: Michal Zalewski <>
To: oss-security <>
Subject: Re: Re: strings / libbfd crasher

> Is codebase generally much better? You aim at "the more difficult or
> better-fuzzed targets" but what about other software? Or put it another way:
> how big portion of widely used software you consider "the more difficult or
> better-fuzzed targets"?

Most of the open-source libraries used in browsers (libpng,
libjpeg-turbo, zlib, etc), as well as most of the mature and popular
network daemons (Apache, OpenSSH, etc) and other components
well-understood to be critical to security (e.g., most setuids, most
compression utilities) are comparatively better. They are not perfect,
but it is widely accepted that you'd need a lot of effort and luck to
find bugs in them.

The problem with libbfd is that it had genuinely very little range
checking in place, probably because it wasn't designed to be ever run
on binaries you do not intend to execute. The default operation of
/usr/bin/strings and the way many people ended up using it arguably
violates that assumption in a particularly pronounced way. Tools such
as objdump are a bit of a grey area, too.

There are several other libraries and tools that are probably a bit
wonky when you factor way their popularity (e.g., tcpdump probably
leaves something to be desired - it's fairly easy to hit crashes when
fuzzing pcaps; ImageMagick used to be relatively bad, too, although it
probably have improved in recent years; ffmpeg and poppler are other
examples of things you should probably vaguely worry about; font
parsers and GL drivers, as exposed through the browser, are another
interesting risk).

There is also plenty of emerging projects, especially on the cloud /
web front, that have received minimal scrutiny.

Now, the quality of the *average* OSS project is probably comparable
to libbfd, but the average OSS project is probably less likely to be
exposed to untrusted inputs under normal operating conditions.

> This leads to a question: how to deal with it.

Well, hard to say. The simplest option is to dump all the test cases
or the fuzzer onto the maintainer. Some will get busy troubleshooting
the issues or will even set up their own fuzzing jobs, some will give
you funny looks.

When that happens, you can either try to research and prioritize the
test cases, or make everything public and hope that others will sort
it out. But it may very well be that if you do that without
researching exploitability, people won't notice or care, unless you
have a good publicist or do a really catchy conference presentation.

Even with a lot of PR, success isn't necessarily guaranteed. The
Mayhem fuzzing effort ( comes to
mind as a fairly prominent example of a high-profile PR event coupled
with dumping an immense amount of almost universally non-security bugs
into the Debian tracker; but more than a year later, something like
800 of them are still open, so ultimately, the results are somewhat

In the end, unless you can make a plausible argument that something is
probably a security risk, you don't have a lot of ground to stand on.
Can be a bad thing, can be a good one =)

>> [...multiple instances of the same coding pattern...]
> So, can such cases be deduped automatically? Or should they? Or you mean
> that they are easy to analyze manually?

I don't know of a way to de-dupe that manually. Even if the coding
pattern is conceptually the same, the compiler may output different
code for each location, etc.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.