Techly NewsGet the app

Get the latest tech news

Why the OpenSSL punycode vulnerability was not detected by fuzz testing (2022)


So recently a very hyped memory corruption security vulnerability was discovered in the OpenSSL punycode parser. Some folks including Hanno ...

Some folks including Hanno (https://twitter.com/hanno/status/1587775675397726209) asked why this is still happenning, why no one wrote a fuzzer for the punycode parser and if we as the security community have learned nothing from Heartbleed. Generally, the Introspector does not always work perfectly and is easy to break - it's a static analysis tool so it gets confused by function pointers and cannot infer anything that happens at runtime, like when your code is heavily using C++ classes or a hashtable for lookups. And strictly speaking, all other fields too - instead of just storing the libFuzzer-generated corpus in the tree, it would be better to manually provide various inputs exercising difficult functionality.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of fuzz testing

fuzz testing

« Scoop up the Google Pixel 7 Pro smartphone for $600 off at Woot!
Here's the sneakiest of sneak peeks at Baldur's Gate 3's upcoming evil endings »