Fuzzing can provide an additional avenue for bug identification alongside common testing techniques due to its mechanical approach and the limited amount of effort needed to carry it out. However, it can be useful for any software that processes input received across a trust boundary. Some common trust boundaries include:. Fuzzing is a testing technique like any other; it is not perfect and should be used as part of a robust testing strategy.
As such, a list of some of the advantages and disadvantages of fuzzing are listed here:. Once you have selected your fuzzing target, you will then have to decide how you would like to generate your data to use. You can either generate a selection of random data dumb fuzzing for use against the target or you can use a mutation of a set of valid inputs smart fuzzing.
Should you decide to utilize smart fuzzing, the next step will be to create a set of inputs to be used against the target. This can be broken down into two phases:. The valid inputs can be gained through a number of methods, such as monitoring the software during normal usage or through reviewing the source code of the software.
For complex inputs, full code coverage is almost impossible in any sort of sensible time frame using only random input generation.
However, should the target software be simple enough that fuzzing with randomly generated data is achievable in the allotted time frame, then this is the simpler method requiring less time to implement. Should your target require complex input, a far more efficient method for creating well-formed fuzzing data is to use known good data and a mutation template.
Imagine we had a web server that required four special HTTP headers in this case, we will call them header1, header2, etc. To find such a flaw, an HTTP request that contains all three headers — header1, header2, and header4, and without header3 — should be attempted.
If our fuzzing engine is able to add or delete random headers from the request, it will take a long time if it is at all possible to generate an HTTP request that has exactly those four headers present. However, if we provide a template buffer with all possible HTTP headers present, the fuzzer will very quickly create the bogus request with all the headers, but without header3 present.
Fuzzers generally fall into one of the following categories: generation, mutation, or evolution, based on how they create the data with which to fuzz the target piece of software. In the following section we will briefly go over each of these categories. Generation fuzzers can be anything from completely random data to slightly designed data. Imagine fuzzing an HTTP server such as described above but completely fuzzing the whole packet.
Generation fuzzers usually take a valid input, break it into pieces, and then fuzz each of the selected pieces randomly. The idea is to keep the overall structure of the data but to fuzz selected parts of it.
Mutation-based fuzzers take a set of valid inputs and perform mutations on them in order to elicit errors from the software missed in other types of testing. Techniques such as least significant bit flipping fall into mutation fuzzing. Another example includes when fuzzing an HTTP request — if directed to do so, a mutation fuzzer could append random values to each of the HTTP header values in search of a vulnerability. For many targets, this can be a surprisingly effective strategy due to the fact that inputs are often similar enough to the original valid inputs to achieve a good amount of code coverage.
Things like ensuring file inputs are in the correct format or that HTTP requests contain the correct headers could be added to the parsing of inputs from the mutation fuzzer to reduce time spent fuzzing. As previously stated, a mutation-based fuzzer leverages a selection of known good inputs to generate a set of modified inputs to be used when fuzzing.
For example, when fuzzing an mp3 processing library, the user would provide a selection of valid mp3 files, and then the fuzzer would modify these files to produce semi-valid variants of each file.
Evolutionary fuzzing is based on the use of genetic programming, which aims to converge toward the discovery of vulnerabilities. Genetic algorithms are used to create continuous sets of test cases. Test case generation is based on both the fuzzing framework designed by the user and the responses received from the fuzzing target. The first set of test cases will be generated in a similar way to a generational fuzzer described previously , and all further test cases will be generated through the steps described below:.
There are many prebuilt fuzzing packages available that can be leveraged against a target, some of which are quite simple and require minimal setup time, while others offer a range of features and require quite complex setup.
It is also possible to design a custom fuzzing engine for a specific project. Often, fuzzing will cause slight memory error. For example, an IndexOutOfBounds exception that for the most part will not cause an application to crash can in some cases lead to things like remote code execution.
On the Windows operating system, it is possible to use features such as heap canaries or similar utilities to assist with detecting memory corruption. When generating test cases, something will need to be transformed in one form or another regardless of whether the fuzzing is generation, mutation, or evolution based.
It is worth noting that edge cases are often where interesting things happen, and as such, it is advised to consider including:. When carrying out fuzzing, the demanding nature of the task can itself cause errors in a target.
As such, all bugs should be reproduced for verification purposes. It is advisable to attach a debugger to the process or set up a Just-In-Time JIT debugger so that a dump of the crash can be analyzed and allow identification of how the target failed and what caused the failure. A second method that will work reliably for crashes that are caused by fuzzing a single request at a time is to log either the manipulated data in a database or similar product so that it can be referred to at a later date.
While finding bugs in a timely manner can require a large time investment to correctly set up a suitable fuzzing framework for the task, integrating fuzzing into the software testing suite can help avoid costly vulnerabilities being discovered by malicious actors in the future. Fuzzing is a useful software testing technique that can be leveraged with depending on framework complexity little time invested, across multiple types of software, and can be very effective at finding vulnerabilities missed by techniques like code reviews.
Since , Coalfire has worked at the cutting edge of technology to help public and private sector organizations solve their toughest cybersecurity problems and fuel their overall success. Coalfire helps organizations comply with global financial, government, industry and healthcare mandates while helping build the IT infrastructure and security systems that will protect their business from security breaches and data theft.
The company is a leading provider of IT advisory services for security in retail, payments, healthcare, financial services, higher education, hospitality, government and utilities. Coalfire is committed to creating a culture that fosters diversity, inclusion, belonging, and equity. It was designed to be user-friendly, modern and effective. As other testing techniques, this is not perfect and should be used as part of a robust testing strategy.
A list of the pros and cons of fuzzing is presented below. Fuzzing is a testing approach that can produce good results when used to identify bugs and crashes under any entry point. Nonetheless, finding bugs is a time-consuming task, and this can require a large time investment to correctly set up a suitable fuzzing platform or tool that is integrated with the software testing suite. While this is seen as the main drawback to this testing paradigm, fuzzing can still help find critical vulnerabilities and prevent them from being discovered by malicious agents in the future.
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here. Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.
He is also a Freelance Writer. Your email address will not be published. Topics Penetration testing Fuzzing introduction: Definition, types and tools for cybersecurity pros Penetration testing Fuzzing introduction: Definition, types and tools for cybersecurity pros.
Posted: September 30, We've encountered a new and totally unexpected error. Get instant boot camp pricing. Thank you! In this Series. Related Bootcamps. Incident Response. Leave a Reply Cancel reply Your email address will not be published. Penetration testing. December 22, Mutation-Based Fuzzers alter existing data samples to create new test data. This is the very simple and straightforward approach, this starts with valid samples of protocol and keeps mangling every byte or file.
Generation-Based Fuzzers define new data based on the input of the model. It starts generating input from the scratch based on the specification. The understanding depends on the specification. It involves writing an array of the specification into the tool then by using model-based test generation technique go through the specification and add irregularity in the data contents, sequence, etc.
This is also known as syntax testing, grammar testing, robustness testing, etc. Fuzzer can generate test cases from an existing one, or they can use valid or invalid inputs. The simplest form of fuzzing technique is sending random input to the software either as protocol packets or as an event.
This technique of passing random input is very powerful to find bugs in many applications and services. Other techniques are also available, and it is very easy to implement.
To implement these techniques we just need to change the existing inputs. We can change input just by interchanging the bits of input. Assertion failures and memory leaks this methodology is widely used for large applications where bugs are affecting the safety of memory, which is a severe vulnerability.
In fuzz testing, fuzzers are used to generate an invalid input which is used for testing error-handling routines, and this is important for the software which does not control its input.
0コメント