From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 53F0F385E03D for ; Wed, 27 Sep 2023 08:31:47 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 53F0F385E03D Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1695803506; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=amWW1ECd1giqCbGvmfGzcJv3P7hRMUGxGi4Uhmj769I=; b=h2Eb/13RWwobmFUHLcUYCIbnMgIf6JfqvukxfjuV+XMU6qf8kIHO8PyrFyZV9qs6oz2N2P hJi+zPQ3z1C4PzxQ36GiQd79V3YwYJeJBUPZ7oX6WZD32MYSnxpQlH2fDc+VGS4cSr+R/O gzaEqNUxZam1DEoO67Ei6WWxWAoQfVk= Received: from mail-lj1-f197.google.com (mail-lj1-f197.google.com [209.85.208.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-532-vk_inuwiNvqW9UcHL7L8Rg-1; Wed, 27 Sep 2023 04:31:45 -0400 X-MC-Unique: vk_inuwiNvqW9UcHL7L8Rg-1 Received: by mail-lj1-f197.google.com with SMTP id 38308e7fff4ca-2c038a1e2f6so166306931fa.3 for ; Wed, 27 Sep 2023 01:31:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695803504; x=1696408304; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=amWW1ECd1giqCbGvmfGzcJv3P7hRMUGxGi4Uhmj769I=; b=g2jXVqK0Xv1KUA0O8AS2fJy9QihYSTB2lY9fes1zw7Jz2V27KC6yilHR/mkGTUVYD4 4rqQT1KzJRBC/GfPIW9yWrBPT8ma8UVJ0VSg+aT7wfdM9oF3CTe7kD46x79swRoyvXor nMPrS75LMiXOK7GF1uyVeLUs9VJCLwUkGPHqcjCsOwynzmBuOnnP+/F4kW/IrXrtjrOc z6zM1+r5O+0dMaqbUsoB+Z9I3kpiVRYM7vQ3dsNPe3keahNTpSvzMH1YfaQfz/FGP2lq ANt0+A+rsgqRwG+Ej2x8h7GgkmFen625p+MqkmAMkf9vqk7r6ZnLr7hNTBJuMS57A+ew 4Hbg== X-Gm-Message-State: AOJu0YwjKuX53+oy1fPK+WUGPXojkfs1lbjfTS7umvG2hXBdNh9gZdgP PueUhIx87VfpsTSeWXZKlbU2a4h3+6TS105+ki5A3w3Ks1R6ugrmYG7lk+cYJPZ8gtjUFy8uZJ4 9Ly7bMdsDYVE= X-Received: by 2002:a2e:96c9:0:b0:2bf:fde1:2586 with SMTP id d9-20020a2e96c9000000b002bffde12586mr1397021ljj.1.1695803504057; Wed, 27 Sep 2023 01:31:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEQpirYWmEsJeMvEej2iJt+ZsnJkDBj2lmIwqG+Swe0Q07n+z/QwSx9CEVZuKjf2t4hK5LBew== X-Received: by 2002:a2e:96c9:0:b0:2bf:fde1:2586 with SMTP id d9-20020a2e96c9000000b002bffde12586mr1396974ljj.1.1695803502924; Wed, 27 Sep 2023 01:31:42 -0700 (PDT) Received: from [192.168.0.129] (ip-94-112-227-180.bb.vodafone.cz. [94.112.227.180]) by smtp.gmail.com with ESMTPSA id lw3-20020a170906bcc300b009ade1a4f795sm8830926ejb.168.2023.09.27.01.31.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Sep 2023 01:31:42 -0700 (PDT) Message-ID: <2494e269-2a7f-da53-ae1d-37359893c68b@redhat.com> Date: Wed, 27 Sep 2023 10:31:41 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: Debugging vs Reverse Engineering To: Jason Long , SCOTT FIELDS via Gdb References: <2065504698.3252109.1695560949235.ref@mail.yahoo.com> <2065504698.3252109.1695560949235@mail.yahoo.com> <4e6bdb93-4671-9ee6-5a89-b9ffba797cff@redhat.com> <1700896107.3285250.1695579162353@mail.yahoo.com> <53d9fdea-0180-bcaf-7cfb-e42f04d8bb10@redhat.com> <1833873555.2376848.1695803079542@mail.yahoo.com> From: Guinevere Larsen In-Reply-To: <1833873555.2376848.1695803079542@mail.yahoo.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_BARRACUDACENTRAL,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 27/09/2023 10:24, Jason Long wrote: > Hi Gwen, > Thanks again. > Can I send you a private email? Sure, go ahead -- Cheers, Guinevere Larsen She/Her/Hers > > > On Tuesday, September 26, 2023 at 05:03:51 PM GMT+3:30, Guinevere Larsen wrote: > > On 24/09/2023 20:12, Jason Long wrote: >> Hi Larsen, > You can call me Guinevere, or Gwen :) >> Thank you so much for your reply. >> Your answer raised other questions in my mind. >> What do you mean by "Giving the program unexpected or malicious >> inputs."? Do you mean Fuzzing? > Fuzzing is one way to get a malicious input, but not the only one. For > instance, look at the following example code: > > char* get_name() { >     char* name; >     int name_size; >     printf("Please enter the length of your name:\n"); >     scanf("%d", &name_size); >     /* Vulnerable code here:  */ >     name = (char*) malloc (name_size * sizeof(char)); >     printf("enter your name:\n"); >     scanf("%s", name); >     return name; > } > > int main() { >     printf("Hello %s", get_name()); > } > > For people used to looking for vulnerabilities, this has a very obvious > issue in not verifying the size of input when reading a string, so you > can just visually see that the input "1 AAAAAAAA" is enough to crash the > program, so that would also be considered a malicious input. However, if > you have a very big codebase, more complicated situations, or just > aren't used to it, you might need a fuzzer to generate random inputs to > see what makes your program crash. > > The way you get to the answer is not important, the reason something is > called a "malicious input" is if the person who designed it had > malicious (evil) intent. > >> Please take a look at these vulnerabilities: >> https://www.cvedetails.com/cve/CVE-2022-31705/ >> >> https://www.cvedetails.com/cve/CVE-2023-32209/ >> >> What technique did the person who found these vulnerabilities use? >> Debugging or Reverse Engineering? > There isn't really a way to tell after the fact. I am reasonably sure > the firefox one wasn't reverse engineering, since all the code is open > source, so you don't need to reverse engineer it. > > Quite likely both cases were just a fuzzer, and then some debugging was > involved to understand exactly why the program crashed and if it was > indeed a vulnerability or not, but there is no way to tell after the > fact, and honestly if it was a real vulnerability, I don't think it > really matters. > > If you don't mind, why are you so interested in the distinction? I might > be able to explain better in that case. >