Fuzz Testing
Fuzz Testing for Software Security
- Fuzz testing is the process of testing software using random inputs (fuzz).
- Goal:
- Identify inputs that cause the program to crash.
- Improve the software by handling invalid inputs to avoid crashes.
Generation or Mutation
There are two basic approaches to generating fuzz:
- Generating input data randomly.
- Applying data mutation techniques to well-defined sample data.
Early Failure
A general problem with truly random fuzz is that of early failure.
- A crash caused by the random input happens very early in the input processing.
- Security issues that only arise after considerable processing may never be exposed.
- Hard to generate truly random inputs that allow processimg to proceed to later program stages.
Data Mutation Approaches
- The goal of data mutation approaches is to increase the possibility that data will be "correct enough" to pass through early stages of the program.
- Almost correct data then may trigger program faults in later stages.
Dumb vs. Structured Input Fuzzing
- A dumb fuzzer generates data without any knowledge of the input data formats.
- General purpose, but often does not expose errors past the data parsing stage.
- Structured input fuzzers use a model of the input to generate random data.
- For example, the legal inputs may be defined by a grammar, a file format or a network protocol.
Program Structure and Fuzzing
Black-box fuzzers have no knowledge of the program structure.
White-box fuzzers analyze the program structure.
- Focus on generating fuzz that increases overall code coverage.
- Generate fuzz based on the test conditions on program branches.
Grey-box fuzzing uses program instrumentation rather than program analysis.
- Instrumentation monitors whether inputs cause different program branches to be taken.
- Useful for generating inputs that increase coverage without the expense or complexity of program analysis.
Updated Sun Sept. 10 2023, 10:45 by cameron.