Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.
File formats and network protocols are the most common targets of fuzz testing, but any type of program input can be fuzzed. Interesting inputs include environment variables, keyboard and mouse events, and sequences of API calls. Even items not normally considered "input" can be fuzzed, such as the contents of databases, shared memory, or the precise interleaving of threads.
For the purpose of security, input that crosses a trust boundary is often the most interesting[1]. For example, it is more important to fuzz code that handles a type of file commonly downloaded from the Web than it is to fuzz the parsing of a configuration file.
Contents |
Uses
Fuzz testing is often used in large software development projects that employ black box testing. These projects usually have a budget to develop test tools, and fuzz testing is one of the techniques which offers a high benefit to cost ratio.
However, fuzz testing is not a substitute for exhaustive testing or formal methods: it can only provide a random sample of the system's behavior, and in many cases passing a fuzz test may only demonstrate that a piece of software handles exceptions without crashing, rather than behaving correctly. Thus, fuzz testing can only be regarded as a bug-finding tool rather than an assurance of quality.
As a gross measurement of reliability, fuzzing can suggest which parts of a program should get special attention, in the form of a code audit, application of static analysis, or partial rewrites.
Techniques
The oldest and simplest form of fuzzing, sending a stream of random bits to software, continues to find bugs in command-line applications[2]. Another common technique that is easy to implement is mutating existing input (e.g. files from a test suite) by flipping bits at random or moving blocks of the file around. But the most successful fuzzers have detailed understanding of the format or protocol being tested.
The understanding can be based on a specification. A specification-based fuzzer involves writing the entire array of specifications into the tool, and then using model-based test generation techniques in walking through the specifications and adding anomalies in the data contents, structures, messages, and sequences. This "smart fuzzing" technique is also known as robustness testing, syntax testing, grammar testing, and (input) fault injection.[3][4][5][6][7]
The protocol awareness can also be created heuristically from examples using a tool such as Sequitur[8]. These fuzzers can generate test cases from scratch, or they can mutate examples from test suites or real life. They can concentrate on valid or invalid input, with mostly-valid input tending to trigger the "deepest" error cases.
There are two limitations of protocol-based fuzzing based on protocol implementations of published specifications: 1) Testing cannot proceed until the specification is relatively mature, since a specification is a prerequisite for writing such a fuzzer; and 2) Many useful protocols are proprietary, or involve proprietary extensions to published protocols. If fuzzing is based only on published specifications, test coverage for new or proprietary protocols will be limited or nonexistent.
Fuzz testing can be combined with other testing techniques. White-box fuzzing uses symbolic execution and constraint solving[9]. Evolutionary fuzzing leverages feedback from code coverage[10], effectively automating the approach of exploratory testing.
Types of bugs found
Straight-up failures such as crashes, assertion failures, and memory leaks are easy to detect. The use of a memory debugger can help find bugs too subtle to always crash.
Fuzz testing is especially useful against large C or C++ applications, where any bug affecting memory safety is likely to be a severe vulnerability. It is these security concerns that motivate the development of most fuzzers.
Since fuzzing often generates invalid input, it is especially good at testing error-handling routines, which are important for software that does not control its input. As such, simple fuzzing can be thought of as a way to automate negative testing. More sophisticated fuzzing tests more "main-line" code, along with error paths deep within it.
Fuzzing can also find some types of "correctness" bugs. For example, it can be used to find incorrect-serialization bugs by complaining whenever a program's serializer emits something that the same program's parser rejects[11]. It can also find unintentional differences between two versions of a program[12] or between two implementations of the same specification[13].
Reproduction and isolation
As a practical matter, developers need to reproduce errors in order to fix them. For this reason, almost all fuzz testing makes a record of the data it manufactures, usually before applying it to the software, so that if the computer fails dramatically, the test data is preserved. If the fuzz stream is pseudo-random number generated it may be easier to store the seed value to reproduce the fuzz attempt.
Once a bug found through fuzzing is reproduced, it is often desirable to produce a simple test case to make the issue easier to understand and debug. A simple testcase may also be faster and therefore more suitable for inclusion in a test suite that is run frequently. It can even help to hide the way in which the bug was found. Some fuzzers are designed to work well with testcase reduction programs such as Delta or Lithium.
Advantages and disadvantages
The main problem with fuzzing to find program faults is that it generally only finds very simple faults. The problem itself is exponential and every fuzzer takes shortcuts to find something interesting in a timeframe that a human cares about. A primitive fuzzer may have poor code coverage; for example, if the input includes a checksum which is not properly updated to match other random changes, only the checksum validation code will be verified. Code coverage tools are often used to estimate how "well" a fuzzer works, but these are only guidelines to fuzzer quality. Every fuzzer can be expected to find a different set of bugs.
On the other hand, bugs found using fuzz testing are sometimes severe, exploitable bugs that could be used by a real attacker. This has become more common as fuzz testing has become more widely known, as the same techniques and tools are now used by attackers to exploit deployed software. This is a major advantage over binary or source auditing, or even fuzzing's close cousin, fault injection, which often relies on artificial fault conditions that are difficult or impossible to exploit.
The randomness of inputs used in fuzzing is often seen as a disadvantage, as catching a boundary value condition with random inputs is highly unlikely.
Fuzz testing enhances software security and software safety because it often finds odd oversights and defects which human testers would fail to find, and even careful human test designers would fail to create tests for.
Frameworks
 |
This section requires expansion with: descriptions and comparisons of frameworks, and the advantages and disadvantages of using frameworks vs. rolling your own. |
References
- ^ John Neystadt (2008-02). "Automated Penetration Testing with White-Box Fuzzing". Microsoft. http://msdn.microsoft.com/en-us/library/cc162782.aspx. Retrieved 2009-05-14.
- ^ "Fuzz Testing of Application Reliability". University of Wisconsin-Madison. http://pages.cs.wisc.edu/~bart/fuzz/. Retrieved 2009-05-14.
- ^ Robustness Testing Of Industrial Control Systems With Achilles
- ^ Software Testing Techniques by Boris Beizer. International Thomson Computer Press; 2 Sub edition (June 1990)
- ^ Kaksonen, Rauli. (2001) A Functional Method for Assessing Protocol Implementation Security (Licentiate thesis). Espoo. Technical Research Centre of Finland, VTT Publications 447. 128 p. + app. 15 p. ISBN 951-38-5873-1 (soft back ed.) ISBN 951-38-5874-X (on-line ed.).
- ^ Software Fault Injection: Inoculating Programs Against Errors (Hardcover) by Jeffrey M. Voas, Gary McGraw. John Wiley & Sons (January 28, 1998)
- ^ NSP Partners - The Business Case and Return on Investment for Deploying Commercial Fuzzing
- ^ Dan Kaminski (2006). "Black Ops 2006". http://usenix.org/events/lisa06/tech/slides/kaminsky.pdf.
- ^ Patrice Godefroid, Adam Kiezun, Michael Y. Levin. "Grammar-based Whitebox Fuzzing". Microsoft Research. http://people.csail.mit.edu/akiezun/pldi-kiezun.pdf.
- ^ "VDA Labs". http://www.vdalabs.com/tools/efs_gpf.html.
- ^ Jesse Ruderman. "Fuzzing for correctness". http://www.squarefree.com/2007/08/02/fuzzing-for-correctness/.
- ^ Jesse Ruderman. "Fuzzing TraceMonkey". http://www.squarefree.com/2008/12/23/fuzzing-tracemonkey/.
- ^ Jesse Ruderman. "Some differences between JavaScript engines". http://www.squarefree.com/2008/12/23/differences/.
Further reading
- ISBN 0321446119, Fuzzing: Brute Force Vulnerability Discovery, Michael Sutton, Adam Greene, Pedram Amini
- ISBN 978-1-59693-214-2, Fuzzing for Software Security Testing and Quality Assurance, Ari Takanen, Jared D. DeMott, Charles Miller
External links
- Look out! It's the Fuzz! (IATAC IAnewsletter 10-1)
- Designing Inputs That Make Software Fail, conference video including fuzzy testing
- Link to the Oulu (Finland) University Secure Programming Group, the origin of Codenomicon Ltd.
This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)
