Fuzzing Like It’s 1989

Author here.<p>The predictions and insights from the two papers were fascinating to read with 30 years of hindsight.<p>I also ran the random input generating “fuzz” tool against everything in &#x2F;usr&#x2F;bin (after some very minor fixes to get fuzz to build using ANSI C89). I can post the results later if there is interest.

The Debian discussion for the ul&#x2F;glibc issue:<p><a href="https:&#x2F;&#x2F;lists.debian.org&#x2F;debian-glibc&#x2F;2016&#x2F;09&#x2F;msg00177.html" rel="nofollow">https:&#x2F;&#x2F;lists.debian.org&#x2F;debian-glibc&#x2F;2016&#x2F;09&#x2F;msg00177.html</a><p>mentions this bug:<p><a href="https:&#x2F;&#x2F;sourceware.org&#x2F;bugzilla&#x2F;show_bug.cgi?id=20632" rel="nofollow">https:&#x2F;&#x2F;sourceware.org&#x2F;bugzilla&#x2F;show_bug.cgi?id=20632</a><p>&quot;This seems quite exploitable to me: we end up overwriting a function pointer that malloc invokes. If an attacker can invoke the process with stderr closed (easy to do from a shell), and can control what text the process outputs to stderr, the attacker can execute arbitrary code.&quot;<p>If that&#x27;s true, I can&#x27;t help wondering if an exploit for this is already sitting in some blackhat&#x27;s tool box somewhere.

The real bomb-shell here that I find terrifying, is that there is still an open and (likely) exploitable bug in glibc that has been around for years and isn&#x27;t getting attention. glibc is <i>everywhere</i> and used by almost <i>everything</i>. If you program in almost any modern language like ruby, node.js, python, java, C, C++, or more, you are calling functions in glibc.<p>Note: Unless you use an alternative libc implementation such as musl, which is standard on things like Alpine Linux for example. However glibc is by far most common.

Thanks. I read the Bart Miller papers for professional reasons late last year. It is very, very helpful to read contemporary discussion of this topic.

Good article