Ebook Open source fuzzing tools

Ebook "Open source fuzzing tools" includes content: Introduction to vulnerability research, fuzzing—what’s that, building a fuzzing environment, open source fuzzing tools, commercial fuzzing solutions, build your own fuzzer, integration of fuzzing in the development cycle,... and other contents.
Nội dung trích xuất từ tài liệu:
Ebook Open source fuzzing tools Gadi Evron David Maynor Noam Rathaus Charlie Miller Robert Fly Yoav Naveh Aviram Jenik This page intentionally left blank Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc. “Syngress: The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 Open Source Fuzzing Tools Copyright © 2007 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN 13: 978-1-59749-195-2 Publisher: Amorette Pedersen Cover Designer: SPi Acquisitions Editor: Patrice Rapalus Page Layout and Art: SPi For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@elsevier.com. This page intentionally left blank Contributing Authors Gadi Evron is Security Evangelist for Beyond Security, chief editor of the SecuriTeam portal and recognized globally for his work and leadership in Internet security operations. He is the founder of the Zeroday Emergency Response Team (ZERT), organizes and chairs worldwide conferences, working groups and task forces. He is considered an expert on corporate security and counterespionage, botnets, e-fraud and phishing. Previously, Gadi was CISO at the Israeli government ISP (eGovernment project) and founded the Israeli Government CERT. He has authored two books on information security and is a frequent lecturer. Noam Rathaus is the co-founder and CTO of Beyond Security. He holds an electrical engineering degree from Ben Gurion University and has been checking the security of computer systems from the age of 13. He is also the editor-in-chief of SecuriTeam.com, one of the largest vulnerability databases and security portals on the Internet. Robert Fly is a Director of Product Security at Salesforce.com where he works with the great folks there to help deliver a service that the world can trust. At Salesforce.com he heads up the company-wide effort for building security into the development lifecycle. Prior to Salesforce.com Robert worked at Microsoft for about eight years, the last few spent in the Real Time Collaboration Group as a Software Security Lead heading up a team of very talented individuals responsible for ensuring the security of those products. Aviram Jenik is CEO of Beyond Security and contributor to SecuriTeam.com David Maynor is CTO of Errata Security, a consulting and product testing cybersecurity company. Charlie Miller spent five years as a Global Network Exploitation Analyst for the National Security Agency. During this time, he identified weaknesses v and vulnerabilities in computer networks and executed numerous successful computer network exploitations against foreign targets. He sought and discovered vulnerabilities against security critical network code, including web servers and web applications. Since then, he has worked as a Senior Security Architect for a financial firm and currently works as a Principal Security Analyst for Independent Security Evaluators, a security firm. He has spoken at the Workshop on the Economics of Information Security, Black Hat, and DEFCON. He has a B.S. from Truman State University and a Ph.D. from the University of Notre Dame. Yoav Naveh works as an R&D team leader for McLean based Beyond Security, and one of the chief developers of the beSTORM fuzzing framework. He is a security researcher with 8 years of experience. He holds the rank of Captain in the Israeli Defense Force (ret.) and is a leading authority in the blackbox testing field. vi Contents Chapter 1 Introduction to Vulnerability Research. . . . . . . . . . . . . . . . . . . . . . 1 Statement of Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Off-by-One Errors . . . . . . . . . . . . . . ...