Fuzz Testing for Software Security

• Fuzz testing is the process of testing software using random inputs (fuzz).
• Goal:
  • Identify inputs that cause the program to crash.
  • Improve the software by handling invalid inputs to avoid crashes.

Generation or Mutation

There are two basic approaches to generating fuzz:

• Generating input data randomly.
• Applying data mutation techniques to well-defined sample data.

Early Failure

A general problem with truly random fuzz is that of early failure.

• A crash caused by the random input happens very early in the input processing.
• Security issues that only arise after considerable processing may never be exposed.
  • Hard to generate truly random inputs that allow processimg to proceed to later program stages.

Data Mutation Approaches

• The goal of data mutation approaches is to increase the possibility that data will be "correct enough" to pass through early stages of the program.
• Almost correct data then may trigger program faults in later stages.

Dumb vs. Structured Input Fuzzing

• A dumb fuzzer generates data without any knowledge of the input data formats.
  • General purpose, but often does not expose errors past the data parsing stage.

• Structured input fuzzers use a model of the input to generate random data.
  • For example, the legal inputs may be defined by a grammar, a file format or a network protocol.

Program Structure and Fuzzing

Black-box fuzzers have no knowledge of the program structure.

White-box fuzzers analyze the program structure.

• Focus on generating fuzz that increases overall code coverage.
• Generate fuzz based on the test conditions on program branches.

Grey-box fuzzing uses program instrumentation rather than program analysis.

• Instrumentation monitors whether inputs cause different program branches to be taken.
• Useful for generating inputs that increase coverage without the expense or complexity of program analysis.