By: Gabriel Schram
July 13, 2021
By: Gabriel Schram
July 13, 2021
The complexity of vulnerability testing for software is expanding with the advancement of connected systems. One of the most effective methods to find vulnerabilities in software is fuzz testing. Fuzz testing, also called fuzzing, is a process meant to find bugs in software through various or semi-random types of input. Specifically, a fuzz test will provide unexpected input to an application to solicit an unexpected response or exception that indicates a vulnerability. Fuzzing will provide an application with input that it does not necessarily know how to handle. The goal is to discover vulnerabilities that would otherwise be difficult to find in other software testing forms. This process is usually streamlined through automated and malformed data injections. Programs designed to conduct fuzz testing are called fuzzers. An unexpected response could be various vulnerabilities, from improper error handling to crash the entire application. Whatever the case may be, fuzz testing is a quintessential tactic for finding software vulnerabilities from a defensive or malicious standpoint. Fuzz testing will vary based on several characteristics, but the end goal remains the same. Fuzzing is meant to test every potential type of input that a program can receive. Newer technologies have streamlined this type of software testing because it has become a significant step in secure software development.
How Does Fuzzing Work?
Once the target is identified, fuzzing can be categorized based on how it generates input for the target and what type of input is used to respond. Additional factors to consider are awareness of the input format and knowledge of the targeted software's structure. Black-box fuzzers are not aware of the program's structure, whereas white-box fuzzing utilizes the known structure to broaden code coverage. Leveraging program structure for white-box testing can be time and resource-consuming, but black-box testing can miss some of the deeper rooted vulnerabilities. Gray-box fuzzing strikes a balance by using instrumentation and data to create new inputs and test cases. These fuzzers can incrementally learn the software being tested. Fuzzing covers the input and output of the tested software. This includes command-line options, user interface buttons, file formats, etc.
Fuzz input characters can be derived from mutation or generation. Generation-based fuzzing does not consider previous inputs and generates random characters based on the input format of the target. Mutation-based fuzzing alters a provided set of inputs based on the output of previous iterations; the provided set of inputs for a fuzzing target is called the seed corpus. Some exceptions can be added to the corpus-based on unchecked paths in the target identified through previous iterations of mutated input.
Once fuzzed data is executed, it is important to monitor and log behavior and defects from certain inputs; this is the main purpose behind fuzz testing. Major points to address are inputs that create errors or crash the system. Fuzz testing is meant to find the vulnerabilities that might not be found with code review to be patched as soon as possible. An overview of these steps can be seen in Figure 1.
Why Conduct Fuzz Testing?
Fuzz testing is meant to identify threat actor entry points. When done correctly, fuzzing will address major vulnerabilities that could otherwise lead to well-known cyber attacks. A fuzz test needs to be sensitive to all types of bugs or misconfigurations. Fuzzing will expose a program's susceptibility to buffer overflow, cross-site scripting, SQL injection, and several others. Logically, software that is tested more will be reliable once released; fuzzing is one of the most effective software testing methods.
Fuzzing should be an active part of secure software development because it can be used maliciously as well. There are multiple options for open-sourced fuzzers; this is somewhat of a double-edged sword. If threat actors have access to fuzzing tools, developers must remain updated with newer fuzzing technologies and how they are being used. The American Fuzzy Lop(AFL) and Radamsa are among the top open-source fuzz testing tools. Fuzzing is one of the best resources for monitoring an application's behavior, and it is necessary because it logs defects in a program before malicious actors can exploit these vulnerabilities.
Licata, S. (2020). Focus on fuzzing: Types of fuzzing. Retrieved from https://safecode.org/focus-on-fuzzing-types-of-fuzzing/ OWASP. (N.A.). Fuzzing. Retrieved from https://owasp.org/www-community/Fuzzing Tavares, P. (2020). Fuzzing introduction: Definition, types, and tools for cybersecurity pros. Retrieved from https://resources.infosecinstitute.com/topic/fuzzing-introduction-definition-types-and-tools-for-cybersecurity-pros/