Wednesday Sep 12, 2012

Fuzzing for Security

Yesterday, I attended an internal workshop about ethical hacking. Hacking skills like fuzzing can be used to quantitatively assess and measure security threats in software.  Fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by injecting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. If the program contains a vulnerability that can leads to an exception, crash or server error (in the case of web apps), it can be determined that a vulnerability has been discovered.

A fuzzer is a program that generates and injects random (and in general faulty) input to an application. Its main purpose is to make things easier and automated.

There are typically two methods for producing fuzz data that is sent to a target, Generation or Mutation. Generational fuzzers are capable of building the data being sent based on a data model provided by the fuzzer creator. Sometimes this is simple and dumb as sending random bytes, swapping bytes or much smarter by knowing good values and combining them in interesting ways.

Mutation on the other hand starts out with a known good "template" which is then modified. However, nothing that is not present in the "template" or "seed" will be produced.

Generally fuzzers are good at finding buffer overflow, DoS, SQL Injection, Format String bugs etc. They do a poor job at finding vulnerabilites related to information disclosure, encryption flaws and any other vulnerability that does not cause the program to crash.  Fuzzing is simple and offers a high benefit-to-cost ratio but does not replace other proven testing techniques.

What is your computer doing over the week-end ?

Thursday Apr 30, 2009

A long week-end in New-York City

On the way to the Sun Directory Master Event '09 in SomerSet, NJ, I stopped by to visit New-York. Weather was very nice and warm (30°C) and it was a pleasure to walk in Manhattan. I visited most of the main outdoor spots, Empire State Building, Central Park, 5th Avenue, Brooklyn Bridge, Greenwich Village, Times Square, Soho, etc.

I took the ferry from lower Manhattan to Staten Island to have a look at the Statue of Liberty. This was the second Statue of Liberty I could see in one week as a 3m tall copy offered by French sculptor Bartholdi stands in Roybon, a small town in France, not far from Grenoble (See below)

Thursday Jan 29, 2009

SunDials software

If you have been wishing to own a sundial; instead of buying an industrial sundial, design it and build your customized sundial using the Shadows software.

All you have to do is to measure the orientation of the wall on which the sundial will be placed.  Then, install the software, locate your place using GoogleEarth or GoogleMap, copy the location URL, paste it into the software then customize your sundial and print out a hard-copy to be drawn/engraved/etc on the surface of your choice.

SunDial in Aiguilles, Queyras, France 

Tuesday Jan 20, 2009

Sticky snow this morning...

Monday Dec 22, 2008

PRINCE2 Foundation Project Management Course

Recently I attended a 3 day PRINCE2 foundation training class. Since them, I've started to use this methodology to secure projects I'm working on.

PRINCE2 (PRojects IN Controlled Environments) is a process-based method for effective project management. PRINCE2 is a de facto standard used extensively by the UK Government and is widely recognised and used in the private sector, both in the UK and internationally.

The key features of PRINCE2 are:

  • Its focus on business justification
  • A defined organization structure for the project management team
  • Its product-based planning approach
  • Its emphasis on dividing the project into manageable and controllable stages
  • Its flexibility to be applied at a level appropriate to the project

Tuesday Oct 14, 2008

Caving In Chartreuse: Traversee Trou du Glaz-Grotte Annette

Last Saturday, despite the nice weather, I spend the day in the Dent de Crolles, a maze-like cave with extensive development on many levels. Cave lies under the Chartreuse mountains, North of Grenoble.
This "Dent" is well hollow : 50 kilometers of passages and pitchs have been explored on several steps, for a ramp of 673 meters. Eight entrances allow you to come into this labyrinth.

It took us about 5 hours crossing Trou du Glaz to Annette Cave (3000 meters long with low point at -162).

Tuesday Aug 05, 2008

The Traverse of La Meije

I recently climbed La Meije.
La Meije (in the center of the picture below) is one of the highest peaks in the Ecrins region of the French Alps.

After a day's walking to get from La Grave to the mountain refuge (refuge du Promontoire) perched at the foot of La Meije. La Meije consists of a main summit (Grand Pic) followed by a ridge of four 'teeth' (below)

or subsidiary summits and after several hours we were standing on top of the "Finger of God", the final pinnacle, with the next mountain refuge in view (Refuge de L'aigle) in the valley below. We stopped by for a drink, then walked down for 3 extra hours to La Grave. Very long day.

Here is the sketch of the route to the Grand Pic

A very nice interactive view of the route is available here.

Tuesday Jul 08, 2008

So perfect.

Last week, I climbed the incredible-looking Aiguille Dibona, the Voie du Nain on the east side followed by the normal route. Easy and quite obvious but very nice rock. Weather was perfect.
The day after, we climbed Aiguille Occidentale du Soreiller (on the left of the picture).

Friday Jun 06, 2008

Rockhounding week

Rockhounding is the recreational collecting of rocks and/or mineral specimens from their natural environment and this is one of my hobbies.
Recently, I spent a few days collecting crystals with a friend, in the Oisans mountains,1 hour drive from Grenoble. This time, I took a camera with me in addition to the standard heavy-weight equipment: mountainieering equipment (harness, rope, ice axe, helmet etc) and rock breakers tools (sledge hammers, stone chisels, shovel, pickaxe, drinks ...).

Early in the morning, we began to do some "gardening", and started to work on a quartz crack looking for crystals.

Crystals are deep inside the crack and as usual quite difficult to extract.

Quartz in place covered with dirt. Cleaning required when we are back home!

Here is the working area after significant efforts:

When rocks resist manual tools, let's speed up the work with a gas hammer drill.

The tactic here is to drill holes, then use driving wedges along with a hammer to break the rock. Here is the typical sequence: First, drill a hole with a specified diametre, insert driving wedges edges,

insert chisel

then hit.

Here is the result.

I'll show you what we've collected in a next post as cleaning is in progress.

Friday Apr 11, 2008

Small brother is watching you

Here is the rock ridge of the Neron towering 1000m above the Grenoble city floor and leading the path to the rest of the Chartreuse range.

Everything looks quiet and wild so I was a bit surprised last week to see a red patch shining near the top. After a 2-hour hike along the ridge,

I found this:

Have you heard about mountain wilderness ?

My name is Sylvain Duloutre, I worked as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement and Solutions Architecture.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

A mirror of this blog is available on Wordpress here.


« June 2016