Fuzz Testing

Barton Miller at the University of Wisconsin developed it in 1989.

Fuzz Testing or Fuzzing is a software testing technique of feeding invalid or random data called FUZZ into software systems to discover errors and security loopholes. The objective of fuzz testing is inserting data using automated or semi-automated techniques and testing the system for various exceptions like system hangs, crashes, performance degradations, or failure of built-in code.

It is usually applied in a case-by-case situation by specific tools or scripts adapted to the development/validation environment.

Tools

Free and commercial tools exist:

• Peach Fuzzer – tests for known and unknown vulnerabilities;

• Spike Proxy – SQL injection, cross-site scripting - Example;

• Webscarab – for http and https;

• OWASP WSFuzzer – webservices, http / SOAP;

• AFL – American Fuzzy Lop;

• Radamsa – Uses real inputs and input files and then modifies them.

Basics

• Automatically generates test cases. (Mutation or Generation based)

• Many slightly anomalous test cases are input into a target interface.

• The application is monitored for errors.

• Inputs are:

  • file-based (.pdf, .png, .wav, .mpg), or;

  • network-based (ftp, http, SNMP, SOAP), or;

  • Other (e.g. crashme()).

Protocol-specific knowledge is very helpful.

• Generational tends to be better than random, better specs knowledge makes better fuzzers.

More fuzzers are better:

• Each implementation will vary, different fuzzers find different bugs.

• The best is probably your own (with system knowledge).

The longer you run, the more bugs you find.

The best results come from guiding the process:

• Notice where you getting stuck, use profiling!

• Code coverage can be very useful for guiding the process.