“Better safe than sorry”… This is the core philosophy behind fuzzing, a method that involves testing software or systems from as many diverse and unforeseeable perspectives as possible, aiming to identify potential vulnerabilities before they can be exploited maliciously.
Systems, irrespective of their nature, are originally designed to operate in stable, surprise-free environments. In reality, however, systems can crash for unexpected reasons. A user might input data that the software isn’t designed to handle, leading to a crash due to this unpreparedness.
For software developers, the challenge lies in the fact that it is difficult to predict all possible scenarios. Consequently, a whole industry has developed around subjecting systems to unforeseen conditions.
One such testing method that has emerged is called “fuzzing”. This is an automated testing technique that involves injecting random data into a system and observing its behavior. Fuzzing can reveal security and performance issues.
What is a fuzzer?
A fuzzer is a tool that automatically inputs random data into an application to detect possible anomalies.
With the help of fuzzers, cybersecurity specialists can identify vulnerabilities before hackers have an opportunity to exploit them. This allows for corrective measures to be implemented, preventing potential attacks.
The origin of the word fuzzing
In the 1980s, Professor Barton Miller from the University of Wisconsin experienced system interference while using the telephone network during strong winds. This interference eventually led to a system crash.
Intrigued, Miller tasked his students with recreating this experience using a noise generator to see if such signals could crash UNIX systems. This led to the development of the first fuzzing test, which was later expanded to various computing environments.
How does fuzzing work?
The concept of fuzzing revolves around deliberately introducing incorrect inputs into a system to unveil faults.
A fuzzer consists of several essential components, humorously nicknamed poet, messenger, and oracle due to their distinct functions: generating, delivering, and analyzing test cases.
- A poet, which generates test data (test cases). The essence of a fuzzer is to move beyond known vulnerabilities, aiming to create as many test cases as possible.
- A messenger that delivers these test cases to the target software.
- An oracle, which identifies if a fault has occurred. If so, it offers information to help reproduce, analyze, and correct the issue.
The three types of ‘test cases’
The poet crafts random data drawing from evolutionary models or derives it from a profound understanding of protocols, file formats, or APIs. Three approaches can be adopted:
- Random fuzzing: involves entirely random data.
- Evolutionary fuzzing: introduces anomalies into valid inputs, adjusting based on outcomes.
- Generational fuzzing: is based on understanding system rules and seeks to systematically break them.
The advantages of fuzzing
Fuzzing offers numerous benefits.
Security assessment
It conducts a thorough evaluation of robustness and security risks.
Prevention of hacks
It identifies potential hacking opportunities before they can be exploited.
Reduced cost
A fuzzer, once set up, can function independently.
Bug detection
A fuzzer uncovers bugs that traditional testing methods may overlook.
The types of fuzzers
Black box
The term “black box” signifies that the fuzzer has no knowledge of the internal workings of the software.
White box
A white box fuzzer has comprehensive knowledge of the software being tested, with access to its source code, documentation, and internal structure.
The main fuzzers
Paid fuzzers
- Beyond Security beSTORM
This black box fuzzer employs a model-based generational fuzzing engine. It thoroughly covers protocols, standards, and file formats without needing source code access.
- Black Duck Defensics
Known for its built-in intelligence, this fuzzing solution offers over 250 predefined test suites (networks, files, and more), quickly identifying vulnerabilities through in-depth specification and rule analysis of the target system.
- Code Intelligence Fuzz
This white box fuzzing platform integrates directly into CI/CD pipelines (automated processes for application creation and deployment) and facilitates automated security testing.
- ForAllSecure Mayhem for Code
A sophisticated white box solution that focuses on identifying bugs and vulnerabilities in the source code, offering automated tests, comprehensive coverage, and detailed reporting.
- Coverity Fuzz Testing
This automated fuzz testing solution handles test data generation, execution, and report creation, and includes diagnostic tools for identified defects.
Open source fuzzers
- Ffuf (Fuzz Faster U Fool)
A nimble and swift fuzzing tool capable of exploring subdomains and hidden files, managing large data volumes, and is highly regarded for web application security testing.
- OneFuzz
This cloud-based fuzzing platform, developed by Microsoft, is open-source and freely available on GitHub, aiming to democratize fuzzing. OneFuzz employs machine learning techniques to enhance test efficiency, though it may incur indirect costs associated with cloud infrastructure usage.
- PeachTech Peach Fuzzer
A versatile fuzzing tool for testing various software, protocols, and file formats, used to assess software robustness. It can simulate complex environments to systematically and precisely identify critical vulnerabilities.
