Date: Mon, 1 Jul 2019 15:08:37 +0200 From: Adrien Nader <adrien@...k.org> To: oss-security@...ts.openwall.com Subject: Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Hello, On Mon, Jun 24, 2019, Stuart D. Gathman wrote: > Question: is fuzzing useful for languages like Java/python? Obviously, > you eventually reach a native code module in both cases, but fuzzing > the entire virtual machine is cumbersome. Maybe native code > libraries > for "safe" languages should include fuzzing as part of testing. AFL is used in the OCaml world despite it being clearly a "safe" language. There's a git repo with a couple examples and there are more in the wild: https://github.com/NathanReb/ocaml-afl-examples . OCaml guarantees that you don't have undefined behaviour but there's nothing that prevents you from doing a typo in a string value, using multiplication instead of addition, not catching an exception you wanted to catch or as others have said, use more memory than expected. These are basically logic errors and very few languages guarantee that you'll avoid them (static typing helps in more than 90% of cases but less than 99.999% of them). -- Adrien
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.