Transcript Document
Fuzzing
fuzz testing == fuzzing
“The original work was inspired by being logged on
to a modem during a storm with lots of line noise.
And the line noise was generating junk characters
that seemingly were causing programs to crash.
The noise suggested the term ‘fuzz’.”
--Barton Miller
Fuzzing
Defn
(IEEE Standard Glossary of Software Engineering Terminology)
“The degree to which a system or component can function
correctly in the presence of invalid inputs or stressful
environmental conditions.”
The basic idea
fuzzer
What to
Fuzz
Complex data formats
image, sound, video, etc. files
object code / bytecode
Protocols
network protocols (TCP/IP, http, key exchange, SSL, etc.)
database (SQL)
User-provided files
The basis of fuzzing…
test cases
Two Types of Fuzzers
Mutation Fuzzers
the “dumb” fuzzers
Generative Fuzzers
intelligence comes with a price…
Why Fuzz?
Mutation Fuzzers
User
fuzzer
What does the fuzzer do?
bit flipping
remove bit segments
insert bit segments
sometimes uses heuristics
Example: ______
Mutated
Test
Case(s)
Generative Fuzzers
User
fuzzer
What does the user specify?
data model
state model
Example: ________ fuzzer
Downside – complex to use
Mutated
Test
Case(s)
The Good, the Bad, & the Ugly
Test the unusual
Large number of test cases
Complexity of input difficult to capture
Tedious configuration
Correctness?
Some “Fuzzy” Links
zzuf Fuzzer
http://caca.zoy.org/wiki/zzuf
Peach Fuzzer
http://peachfuzzer.com
Jester
http://jester.sourceforge.net
Taof (the art of fuzz testing)
http://sourceforge.net/projects/taof