Fuzzy interfaces

re: Fuzzy interfaces

Mo — Wed, 20 Oct 2004 21:30:00 GMT

Grammar pedant:

"Your code can't be considered to be secure unless it's external interfaces have been fuzzed."

That should be "its" :)

re: Fuzzy interfaces

Larry Osterman — Wed, 20 Oct 2004 21:32:00 GMT

Nitpicker.

re: Fuzzy interfaces

Richard — Wed, 20 Oct 2004 21:55:00 GMT

<i>If we lived in a world where the bad guys were forced to write valid code, then that attitude would probably be ok, but that's not the world in which we live. The bad guys aren't going to use valid HTML to attack your web browser. They're going to use invalid HTML. So it's critical that your browser deal with both valid AND invalid HTML.</i>

No, they're far more likely to use javascript interpreter bugs, vbscript interpreter bugs, and local zone scripting exploits.

re: Fuzzy interfaces

Larry Osterman — Wed, 20 Oct 2004 22:07:00 GMT

Richard, why would they go to all that effort if they can use basic HTML to compromise your machine?

You're making the same mistake that the /. people made. The bad guy will go after your softest attack spot. So you can't have ANY soft spots.

If your HTML renderer has security holes, it's just as bad as if your scripting engine has security holes (and according to Eric Lippert, there haven't been any scripting engine bugs in MS's scripting engine in quite some time).

re: Fuzzy interfaces

Norman Diamond — Thu, 21 Oct 2004 00:47:00 GMT

10/20/2004 3:07 PM Larry Osterman

> The bad guy will go after your softest
> attack spot.

Now you're making almost the same mistake that you accused Richard of, though slightly varied.

The bad guys and gals can go after all kinds of attack spots. Whether or not you know that one kind of attack spot is easier today or more popular today or whatever, you cannot ignore harder ones because anyone who wants to pursue them still can.

It is commonly said that, to reduce the likelihood of your car getting stolen, you only have to make it harder to steal your car than to steal the car next door. When a thief wants to steal one car and is easily willing to give up with one and go on to try the next one, that is true. When a lot of thieves (whether a gang or just a lot of independents) wants to steal as many as possible, suddenly your minimum protection is meaningless.

Back to the base note:

> I'd try null characters, characters outside
> the ASCII (0-127) range, illegal UTF8
> characters.

You'd try illegal characters, legal characters, and illegal characters. Sure, all kinds of illegal and legal and illegal received byte sequences really do need to be tested, but that's kind of a weird way to say so.

re: Fuzzy interfaces

Simon Cooke [exMSFT] — Thu, 21 Oct 2004 03:58:00 GMT

Norman wrote:
> The bad guys and gals can go after all kinds
> of attack spots. Whether or not you know
> that one kind of attack spot is easier today
> or more popular today or whatever, you
> cannot ignore harder ones because anyone who
> wants to pursue them still can.

Splitting hairs, Norman. Fact is, exploitable parser bugs are just as bad if not worse than jscript bugs, malformed jpeg bugs, etc. Richard's approach of "hey, you don't need to fix those bugs because there are other attack vectors which will be used first" is a rather lackadasical one.

> You'd try illegal characters, legal
> characters, and illegal characters. Sure,
> all kinds of illegal and legal and illegal
> received byte sequences really do need to be
> tested, but that's kind of a weird way to
> say so.

Null characters are not illegal, Norman. That's one of the rules of Unicode - and the HTTP protocol. And ASCII. NUL is a valid character in pretty much everything but the C and C++ languages. If you don't believe me, check out the ASCII spec.

re: Fuzzy interfaces

Ben Roe — Thu, 21 Oct 2004 10:15:00 GMT

>And the number of people who seem to believe that it's
>better to crash than to fail on invalid input
>distresses me immensely.

Don't take it seriously - it's Slashdot, not "OSS Developers-Only". While there may be a few sensible posters left, hardly anyone there any more actuallydoes any OSS development or knows what they're talking about.

Hell, I used "!=" in a comment recently and got a bunch of replies from people who clearly didn't know what it meant (and were offended by what that my comment implied if you thought it meant equals).

re: Fuzzy interfaces

JW — Thu, 21 Oct 2004 14:13:00 GMT

This is scary. And it highlights a fundamental flaw in the perception that's used to evaluate mainstream software.

Many believe that Microsoft software has a lot of bugs. They are correct. But what they don't realize, I think, is how many bugs it doesn't have. The latter is just as much a measure of quality as a standing bug count.

Where Mozilla--a browser which is gaining market share--is concerned, I must ask: where's the forest for the trees in this issue?

It's not enough for the browser to simply be security-tested. There has to be a security _mindset_ throughout the development team, to increase that count of "bugs that didn't happen." More so, there needs to be accountability to security issues. Where these come from, is beyond me.

How can Mozilla Firefox claim to be "safer" (on its home page at mozilla.org), with what evidently amounts to no actual safety verification? As I understand it, these "fuzz" tests are pretty basic, and they are taking place independently _after_ the browser has been distributed in the millions.

Where a real company is concerned, this should be the basis for liability. Or at least the public perception of raw naivety. Especially with regards to what software quality actually is--it is certainly more than the absence of Microsoft's influence.

re: Fuzzy interfaces

ATZ Man — Thu, 21 Oct 2004 17:19:00 GMT

When was the /last/ time you heard about someone doing the fuzzy markup challenge on all the browsers?

/me waits for answer
/me gives up

You haven't heard of this before and it hasn't been done to browsers before, by a white hat who would publish anyway. The concept of this kind of test for any program or API is so old, the first articles written about the idea (in general for all programs) are now yellow and crumbling.

What would the outcome have been had the test been done 2 years ago? 5 years ago? or 1994? It is kind of a lucky accident for Microsoft that they didn't get this particular PR black eye. It's not because the bought-in Spyglass code was so good.

re: Fuzzy interfaces

Larry Osterman — Thu, 21 Oct 2004 17:36:00 GMT

ATZ Man,
You're totally right. Microsoft started doing this testing a couple of years ago, when we woke up and realized the kind of problem we had. Now every network facing interface must be fuzzed before test has signed off on it, because the dangers are so great.

Hopefully the rest of the industry will soon too. Michal did a great service to the entire community with his post. It's a shame that so many people jumped down his throat for doing it.

re: Fuzzy interfaces

foxyshadis — Thu, 21 Oct 2004 23:02:00 GMT

I'm just curious, have many of the security patches over the last few years for XP, IE, and such, been found by automatic fuzzing? Or has this mostly only been used on newly changed codebases during validation?

re: Fuzzy interfaces

Norman Diamond — Fri, 22 Oct 2004 00:14:00 GMT

10/20/2004 8:58 PM Simon Cooke [exMSFT]

> Null characters are not illegal, Norman.
> That's one of the rules of Unicode

Of course.

> - and the HTTP protocol.

OK, in that case I stand corrected. Where some recent security patches adjusted the display of some strings that had null characters in the middle of the strings, I thought that they were adjusting the display of _illegal_ URLs so that victims would be less likely to be deceived by some spamming hackers. Now I understand that they were adjusting the display of _legal_ URLs, though still so that victims would be less likely to be deceived by some spamming hackers. Thank you.

> If you don't believe me, check out the ASCII
> spec.

I don't need to look at a foreign character specification, domestic character sets have it too. It's even a single byte in all of JIS, EUC, and SJIS. But I thought (and I think it looks like Mr. Osterman thought) that HTTP specs didn't allow them in the middle of strings.

Of course, programs still need to act safely (accepting or rejecting) strings regardless of whether the strings' bytes are legal or illegal. I agree with Mr. Osterman on that.

Geek Notes 2004-10-26

Geek Noise — Tue, 26 Oct 2004 23:18:00 GMT

Geek Notes 2004-10-26

Geek Noise — Thu, 28 Oct 2004 20:45:00 GMT

re: Fuzzy interfaces

DoesntMatter — Sat, 30 Oct 2004 16:56:00 GMT

In other news this month's security hole in IE happens to be URL spoofing vulnerability found by Netcraft. Mr. Osterman was unavailable for comments on IE's handling of bad HTML.

More details at http://news.netcraft.com/archives/2004/10/29/new_url_spoofing_flaw_found_in_internet_explorer.html

re: Fuzzy interfaces

Larry Osterman — Mon, 01 Nov 2004 18:07:00 GMT

Doesn'tMatter: Did I EVER say that IE was perfect?

All I said was that fuzzing your inputs is a required part of security testing.

And that if you want to stake a claim of being the most secure browser, you'd better be able to back up that claim.

Whidbey security push: what are we doing there?

Mikhail Arkhipov (MSFT)'s WebLog — Tue, 14 Dec 2004 09:12:00 GMT

Fuzzy Browser Bugs

Nice Ventures Blog — Tue, 25 Apr 2006 18:32:14 GMT

Periodically, the security world remembers that many exploits are generated through the deliberate passing of malformed code/requests and gets excited by &quot;fuzzing techniques&quot; that typically identify dozens or even hundreds of bugs in

Information on the Whidbey Security Push

The Coffeehouse — Thu, 05 Jun 2008 09:01:11 GMT

Many teams here are currently in the middle of the

Technology» Blog Archive » Fuzzy Browser Bugs

Technology» Blog Archive » Fuzzy Browser Bugs — Mon, 05 Jan 2009 18:26:45 GMT

PingBack from http://tech.blog.extendance.com/2006/04/26/fuzzy-browser-bugs/

Larry Osterman s WebLog Fuzzy interfaces | Hair Growth Products

Larry Osterman s WebLog Fuzzy interfaces | Hair Growth Products — Tue, 09 Jun 2009 11:39:40 GMT

PingBack from http://hairgrowthproducts.info/story.php?id=3170