Gulp.<p>A team at Google pulled 20tb(!) of SWF files out of their crawl and fed them through a simple algorithm that determined the subset of 20,000 SWF files that exercised the maximum number of basic blocks in Adobe's Flash Player.<p>Then, using 2000 CPU cores at Google for 3 weeks, they flipped random bits in those 20,000 SWF files and fed them through an instrumented Flash Player.<p>Result: 80 code changes in Flash Player to fix security bugs from the resulting crashes.<p>This is great stuff; you can imagine a <i>very</i> well organized adversary spending the money on comparable compute resources, and even (if you stretch) obtaining the non-recoverable engineering time to build a comparably sophisticated fuzzing farm. But no other entity excepting perhaps Microsoft can generate the optimal corpus of SWF files to fuzz from.<p>DO PDF NEXT, GOOGLE.<p>You've got to ask yourself: in a year or so, if there are still regular updates for exploitable zero-day memory corruption flaws in Flash, even after Google exhaustively tests the input to every basic block in the player with the union of all file format features observed on the entire Internet, what does that say about the hardness of making software resilient to attack?
That blog post seems to contradict what Tavis Ormandy claimed on Twitter a few days ago, when the patch was released:<p>> <i>Adobe patched around 400 unique vulnerabilities I had sent them in APSB11-21 as part of an ongoing security audit. Not a typo.</i><p><a href="https://twitter.com/#!/taviso/status/101046246277521409" rel="nofollow">https://twitter.com/#!/taviso/status/101046246277521409</a><p>> <i>Apparently that number was embarrassingly high, and they're trying to bury the results, so I'll publish my own advisory later today.</i><p><a href="https://twitter.com/#!/taviso/status/101046396790128640" rel="nofollow">https://twitter.com/#!/taviso/status/101046396790128640</a><p>Whereas the blog post cites 400 unique crashes, 106 security bugs, and 80 code changes (the same numbers that Adobe used: <a href="http://blogs.adobe.com/asset/2011/08/how-did-you-get-to-that-number.html" rel="nofollow">http://blogs.adobe.com/asset/2011/08/how-did-you-get-to-that...</a>).<p>---<p>Regardless of the exact numbers though, this is a supremely awesome feat of security engineering. It's very impressive.
Ok, I am going to say that this is just a little scary, scalewise. And I am thinking that the 2000 cores they used was some teeny fraction of what they might have deployed if they really needed it.