ianG writes:

On 26/03/12 07:43 AM, Jon Callas wrote:

...

This is precisely the point I've made: the budget way to break crypto is to buy a zero-day. And if you're going to build a huge computer center, you'd be better off building fuzzers than key crackers.

point of understanding - what do you mean by fuzzers?

Automatically trying to make software incur faults with large amounts of randomized (potentially invalid) input. https://en.wikipedia.org/wiki/Fuzz_testing If you get an observable fault you can repeat the process under a debugger and try to understand why it occurred and whether it is an exploitable bug. Here's a pretty detailed overview: https://www.blackhat.com/presentations/bh-usa-07/Amini_and_Portnoy/Whitepape... When it was first invented, fuzzing basically just consisted of feeding random bytes to software, but now it can include sophisticated understanding of the kinds of data that a program expects to see, with some model of the internal state of the program. I believe there are also fuzzers that examine code coverage, so they can give feedback to the tester about whether there are parts of the program that the fuzzer isn't exercising. -- Seth David Schoen <schoen@loyalty.org> | No haiku patents http://www.loyalty.org/~schoen/ | means I've no incentive to FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150 | -- Don Marti _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE