1. 9

  2. 5

    This paper discusses an interesting experiment (that involved a lot of work). An interesting blog post on the article ;-)

    1. 1

      I was led to it from your other post, and I wanted to highlight that as a separate post :). I am interested in what the community might say about the utility of fuzzing in areas that may not directly involve security (such as compilers).

      1. 2

        I think compilers are fundamental to security, and I wish that were a more common position.

        1. 2

          They certainly are, in that one needs to trust the compiler. However, I wonder what the security impact of a bug in a compiler is that is never transmitted to the compiled artifact.

          1. 1

            Perhaps nothing, in that case. I wouldn’t want to go on-record predicting it’ll never matter; novel security vulnerabilities are often related to things that everyone assumed shouldn’t have been security-relevant in the first place. That does seem like an unlikely type of bug to be an issue, though.

        2. 1

          There is always the “whoopee do” post that helped germinate the original work :-)

          I think the that grammar base fuzzing has practical, non-security uses, provided the rule probabilities are realistic.

          And I keep meaning to write something about most existing mutation research being a complete waste of time (of course citing your PhD thesis to back up my claims). People need to research how to generate ‘bigger’ mutations, or move onto something else.