Peach Fuzzer Collaboration Begins

Wednesday, July 31, 2013 @ 07:07 PM gHale

Mozilla and Blackberry are now collaborating on a new project where the two companies will begin working to flesh out Peach, which is a free software fuzzing application developed nearly a decade ago, for testing the security of web browsers.

In a post on its company blog by Michael Coates, Mozilla’s Director of Security Assurance, said Mozilla has already been using Peach to fuzz a multitude of HTML5 features. Researchers have poked and prodded “image formats, audio/video formats, fonts, multimedia APIs like WebGL and WebAudio,” in both its flagship Firefox browser and its forthcoming Firefox OS, Coates said.

IE Security, Privacy Tops: Study
IE 10 Tops at Malware Blocking
Mac Attack: Ransomware Targets Safari
Browser Add-On Leaking Data

Like Mozilla, Blackberry incorporated fuzzing into its security infrastructure as well. While it doesn’t name Peach in particular, the company claims to regularly use “third-party fuzzers, in addition to its own proprietary fuzzing tools, static analysis and vulnerability research,” to test products, according to company blog.

Both said they will develop and implement advanced threat detection tools by using Peach and they plan to share results from their fuzzes with the security community going forward.

“Security is an industry-wide challenge that cannot be solved in a vacuum, and that is why BlackBerry and Mozilla security researchers are working together to develop new and innovative tools for detecting browser threats,” said Adrian Stone, Blackberry’s Director of Security Response and Threat Analysis.

First developed in 2004 by Michael Eddington at Seattle-based Déjà vu Security, Peach was initially a framework for creating fuzzes in Python. The fuzzer, now the most popular of its kind, has gone through several iterations since then, using XML and Microsoft’s .NET framework. Peach’s latest version, Peach 3, released in January and can run on Windows, Linux and OS X.

Security researchers use fuzzers in software testing for fault injection, the injection of unexpected or malformed data into an application’s code path. Fuzzers help security researchers identify flaws, or faults in the code if the application can’t handle the data and the fuzzing results in a series of errors.

Mozilla also used the blog entry as an opportunity to discuss Minion, a new security testing platform it expects will take “a different approach to automated web security testing.”

The free and open source platform apparently keeps the amount of information it generates to a minimum, making it easier for developers to analyze their research.

Leave a Reply

You must be logged in to post a comment.