Testing Tips

Testing for overflows in your application is well worth the effort. Here are a few tips for testing.

  • Remember to look for overruns where the attacker can get data: network data, files and documents, information shared between users, and programmable interfaces.

  • Using data you can recognize helps when you are analyzing whether a particular overrun is exploitable.

  • Learn how to determine the bounds of data by reading the code, asking people for information, using commonly defined lengths, employing the iterative approach, and watching for changes in behavior.

  • When you construct test cases, dont forget to maintain overall data integrity by adjusting for various structural and format considerations, and make sure your test cases strike deeply within the programs functionality when warranted.

  • Keep an eye out for secondary actions or program state dependencies that might render the code exploitable.

  • Watch for exceptions, crashes, and other changes in behavior. Remember, when you enter long data and the application shows you extra memory or behaves oddly, the situation is often worth investigating and is exploitable.

  • Use the debugger to help find handled exceptions. Remember that handled exceptions can be exploitable also.

  • Use fuzzing and other runtime tools to help you find overruns and identify areas on which to focus future code review and testing efforts.

  • Try different strategies, including replacing null characters , inserting data, overwriting data, and adjusting string lengths.

  • Looking at the code is an important part of finding buffer overruns. When you look at the code for overruns, stop trying to create the code and start trying to break it.

  • Key areas on which to focus code review include unsafe functions, data entry points and data flow, and places where data is copied and parsed.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net