LAS VEGAS Black Hat USA 2008 Hackers' two most popular methods for identifying software vulnerabilities were tested side by side here yesterday, and the votes are in: the fuzzers have it.
In the annual "Iron Chef" contest, researchers from Fortify Software were paired up in teams and given a package of code containing security vulnerabilities that were unknown to the contestants. Each team had one hour to find the flaws and develop a workable exploit.
One team used the increasingly-popular "fuzzing" technique, which allows hackers and researchers to identify vulnerabilities on the fly. The other team used the more traditional "static analysis" approach, in which researchers analyze the code line by line.
Both teams found vulnerabilities, although they didn't find the same ones. The fuzzing team developed an exploit that could be executed directly on the application. The static analysis team developed an exploit that could be exploited remotely by enticing the user to click on a revealing photo of Britney Spears.
A panel of three security experts acted as the judges, and voted two to one for the fuzzing team. "I'm amazed at how well the static analysis team did," said Mozilla's Window Snyder, who cast the deciding vote. "But the fuzzing team just did a better job."
Tim Wilson, Site Editor, Dark Reading