Fuzz testing (fuzzing) is all the rage. This automated testing technique shows the existence of bugs within an application and has a proven track record of findings that can lead to exposing common vulnerabilities. But what’s it all about? Here are 12 fun facts that can help clear things up:
1. It harnesses randomness to find bugs
With fuzzing, random data (fuzz) is used to find bugs in software. Random inputs are entered into the program, and if an undesired or unexpected behavior (a bug) is found, then it’s fixed or saved for future analysis.
2. Its name is meant to make you think of unstructured data
Fuzz testing was created by accident by Professor Barton Miller when a thunderstorm added electrical noise to the system he had dialed into through his phone line, inserting random inputs that made the code crash. After realizing that common Unix utilities he used every day were so vulnerable to random inputs, he simulated the randomness of the noise in a testing project. The technique was further developed by his students at the University of Wisconsin in 1989.
3. Fuzzing can be done in black box, white box or grey box systems
In black box fuzzing, the fuzzer has a relatively small amount of feedback from the program under test. When the fuzzer produces a new input, it can only result in one of two outcomes: either the program crashes, or it doesn’t. No information is provided about the cause of the crash. White box fuzzing uses very heavy reasoning and produces more detailed outputs, but as a result this method is complex and difficult to scale.
Gray box fuzzing is the middle-ground between these two: The fuzzer can observe lightweight information about the execution of the program, but that’s enough to find relative bits in the process. AFL is one of the most well known grey box fuzzing tools, and one of the most widely used fuzzing tools in general.
4. It’s lightning fast
Because fuzz tests can execute the program under test thousands of times per second, the process can be iterated millions of times, making this method a quick way to find unknown vulnerabilities.
5. It can be used for good or bad
Fuzzing doesn’t always require access to the source code, which is why it’s one of the most common methods used by hackers to discover vulnerabilities in closed-source software. But if you fuzz test your own code first, you can find these vulnerabilities before hackers do and fix them, ultimately making your code more secure.
6. It’s budget-friendly
Fuzz testing is a cost-effective way of testing code because it requires few resources to complete: a simple fuzzer can be created with relative ease.
7. It often detects three types of bugs
These are:
- Memory safety flaws
- Invalid inputs
- Correctness bugs, such as assertion failures or infinite loops
8. Flaws detected through fuzz testing are often critical
Fuzz testing has a proven record of detecting high-risk bugs. This impressive track record led to Google creating their own fuzzing tool, aptly named ClusterFuzz, earlier this year.
9. Fuzzers can synthesize structured files out of thin air
You wouldn’t expect this capability from such a simple technique, but fuzz testing tools can create well-formed JPEGs from simple text files. Check out some of these images.
10. Fuzz testing is a completely automated process
Fuzz testing is ripe for automation due to its black box methodology and simple outcomes. If an application crashes or hangs, it fails the test; otherwise, it passes. Once properly configured, the fuzzer automatically produces and selects relevant inputs for the program under test.
11. It’s a little bit like having a monkey type at a keyboard
The infinite monkey theorem states that a monkey hitting keys at random on a typewriter for an infinite amount of time will inevitably type any given text, such as the complete works of Shakespeare. Fuzz testing is based on the same idea of trial and error, if Shakespeare were the equivalent of an input that revealed a dangerous bug.
12. We’re developing our own advanced fuzzing techniques
Diffblue is developing advanced fuzzing techniques for security analysis and test generation for managed languages (specifically, Java) and unmanaged languages, in contrast to the relatively prevalent fuzzers for only unmanaged languages. Fuzzing is just one of the techniques we use in our core engine, but it’s a good one to have in our toolbox.
