Fuzzing

Fuzzing, also known as fuzz testing, is an automated method that is ideal for detecting vul­ner­a­bil­i­ties in software. In this article, you’ll learn what the testing technique involves, its ad­van­tages and dis­ad­van­tages, and the different fuzzing tools you can use.

Fuzzing or fuzz testing was orig­i­nal­ly developed by computer scientist Barton Miller and is a method used to sys­tem­at­i­cal­ly test software for vul­ner­a­bil­i­ties. Fuzzing does not attempt to interpret the source code of the program. Instead, it treats the software as a black box and its content as given. In fuzz testing, all possible data input in­ter­faces are au­to­mat­i­cal­ly invoked and fed random data. This process can take hours or even days, depending on the size of the software project you’re testing.

The aim of fuzz testing is to determine whether the program contains the necessary reactions for all possible input variants. Non­sen­si­cal or incorrect inputs should be caught by error-handling routines, if possible. If error-handling routines do not exist for certain inputs or do not work correctly, the program can crash. The technique of testing software for all even­tu­al­i­ties has long been an integral part of web de­vel­op­ment en­vi­ron­ments. For example, cross-browser testing has been used for many years to test web ap­pli­ca­tions across multiple web clients or browser versions.

There are basically three types of fuzzing:

This fuzzing approach tests functions such as buttons and input fields in graphical user in­ter­faces or options of command line programs. For example, functions are accessed with an ab­nor­mal­ly high frequency or speed, or input fields are filled with too much content.

Protocols such as the Hypertext Transfer Protocol (HTTP) are used to exchange data on the web. The trans­ferred data must be in a specific format. Protocol fuzzing is used to test the behavior of the software when in­cor­rect­ly formatted content is sent. The main goal of this type of fuzzing is to ensure that sent content is not ac­ci­den­tal­ly in­ter­pret­ed as commands and then executed on a server.

Fuzzing tools that follow the approach of file-format fuzzing generate corrupted files and then feed them to the target software for pro­cess­ing. Files typically have a standard format such as .jpg for image files so that they can be exchanged between different ap­pli­ca­tions. If the format of the opened file does not match the expected format, it can cause problems. An advanced version of file-format fuzzing allows you to test im­ple­ment­ed features such as com­pres­sion methods for video files.

Analyzing how a piece of software operates is time-consuming. Software often consists of several thousand lines of source code written in a pro­gram­ming language. Branch in­struc­tions and in­te­grat­ed functions make the code difficult to follow. In addition, once the source code has been compiled, it has to be de­com­piled, which is not always possible.

Fuzzing takes a different approach: It generates all con­ceiv­able random data of a given type. The goal is to cover as many input variants as possible. Fuzzing is the interface for automated input. This can happen at different levels. For example, in ap­pli­ca­tion fuzzing, different data types are mimicked and passed into the software. Possible lengths and data formats of the inputs can also be tested. Protocol fuzzing uses data packets that you create yourself. Another option involves in­ter­cept­ing, ma­nip­u­lat­ing, and returning contents. File format fuzzing uses randomly generated test files. It tests factors such as size, structure, or set flags.

The primary ap­pli­ca­tion of fuzzing is quality assurance in software de­vel­op­ment. Because fuzzing is highly automated, it allows you to test software regularly in a prepared test en­vi­ron­ment. You can integrate this en­vi­ron­ment into existing agile de­vel­op­ment processes. You can also fuzz-test pre­vi­ous­ly released software as part of a security audit to find out whether the software has security vul­ner­a­bil­i­ties.

Of course, fuzzing can also help you to detect exploits. However, it only provides clues about errors in program functions, since fuzzing tools ul­ti­mate­ly cannot access the internal struc­tures of the software being tested.

A variety of free and paid fuzzing tools with different features are available on the market. Here are just a few of them:

• American Fuzz Lop: Can compile the source code on its own and then test it, which is why this type of program is called a grey-box fuzzer. If the source code isn’t available, it is emulated using QEMU (short for Quick Emulator).
• Fuzzino: Provides a library for gen­er­at­ing input data that can be used to test ap­pli­ca­tions using models of protocols.
• LibFuzzer: Library that is part of the LLVM compiler in­fra­struc­ture.
• Clus­ter­Fuzz: Test en­vi­ron­ment orig­i­nal­ly developed by Google to test the Chrome browser.
• Sulley: Provides a col­lec­tion of tools in the Python scripting language; es­pe­cial­ly useful for simple test cases such as gen­er­at­ing random data.
• Peach: Highly automated solution for fuzz-testing hardware and software.
• Pow­er­fuzzer: Provides different attack scenarios, such as SQL in­jec­tions; features a web-based graphical user interface.

Depending on the intended ap­pli­ca­tion, there are al­ter­na­tives to fuzz testing that take a different approach and deliver different results. We’ve sum­ma­rized the most important ones for you below.

Reverse en­gi­neer­ing is an in­dis­pens­able tool for security re­searchers. Reverse en­gi­neer­ing is the process of analyzing code after de­com­pi­la­tion (reverse trans­la­tion into pro­gram­ming languages) or dis­as­sem­bly (trans­la­tion into the low-level assembler language). Reverse en­gi­neer­ing is a very complex and error-prone process. When suc­cess­ful, however, it allows you to examine all the details of program func­tion­al­i­ty.

Debugging is the process of finding bugs during software de­vel­op­ment. Programs are executed tem­porar­i­ly in the de­vel­op­ment en­vi­ron­ment before they are completed. The pro­gram­mer can set break­points to interrupt the program at certain places during execution. Next, the pro­gram­mer can view the contents of variables and check them for cor­rect­ness. Debugging is also used in reverse en­gi­neer­ing.

Complex software often has a modular design. Module testing is a well-es­tab­lished method for checking in­di­vid­ual com­po­nents in test en­vi­ron­ments.

As a pro­gram­mer, bugs and security vul­ner­a­bil­i­ties in your software can damage your rep­u­ta­tion and cause others to lose trust in your work. Expecting a program to be ab­solute­ly flawless is un­re­al­is­tic, and most software users know this. However, by fuzz-testing your software, you have the op­por­tu­ni­ty to find bugs before others report them. Beyond that, this technique will boost the stability and security of your software. These are all good reasons to make fuzz testing part of your quality assurance process.