[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz
From: Matthew Fernandez <matthew.fernandez () gmail ! com>
Date: 2019-06-24 23:44:03
Message-ID: 93CB7010-1297-4AD4-80D6-ABCC920929AF () gmail ! com
[Download RAW message or body]
> On Jun 24, 2019, at 09:42, Bob Friesenhahn <bfriesen@simple.dallas.tx.us> wrote:
>
> On Mon, 24 Jun 2019, Stuart D. Gathman wrote:
> >
> > Question: is fuzzing useful for languages like Java/python? Obviously,
> > you eventually reach a native code module in both cases, but fuzzing the entire \
> > virtual machine is cumbersome. Maybe native code libraries for "safe" languages \
> > should include fuzzing as part of testing.
>
> There is nothing about languages like Java and Python which necessarily makes them \
> safe. Access outside of memory bounds is just one issue which often afflicts \
> C/C++. Java and Python can easily do something wrong such as use all available \
> resources or never finish. In the case of Python, Python can easily make arbitrary \
> calls into C code under control of the script.
With something like ctypes? I took Stuart's point to be about fuzzing the language VM \
(e.g. CPython), rather than fuzzing extensions written in C. Fuzzing the FFI into \
native code seems like a reasonable idea for extension maintainers, but this is much \
less cumbersome than the VM fuzzing that Stuart's comment seemed to be getting at.=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic