Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 1 Jul 2019 15:08:37 +0200
From: Adrien Nader <adrien@...k.org>
To: oss-security@...ts.openwall.com
Subject: Re: Thousands of vulnerabilities, almost no CVEs:
 OSS-Fuzz

Hello,

On Mon, Jun 24, 2019, Stuart D. Gathman wrote:
> Question: is fuzzing useful for languages like Java/python?  Obviously,
> you eventually reach a native code module in both cases, but fuzzing
> the entire virtual machine is cumbersome.  Maybe native code
> libraries
> for "safe" languages should include fuzzing as part of testing.

AFL is used in the OCaml world despite it being clearly a "safe"
language. There's a git repo with a couple examples and there are more
in the wild: https://github.com/NathanReb/ocaml-afl-examples .

OCaml guarantees that you don't have undefined behaviour but there's
nothing that prevents you from doing a typo in a string value, using
multiplication instead of addition, not catching an exception you wanted
to catch or as others have said, use more memory than expected. These
are basically logic errors and very few languages guarantee that you'll
avoid them (static typing helps in more than 90% of cases but less than
99.999% of them).

-- 
Adrien

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.