Product Security Glossary

Fuzzing

What is Fuzzing?

Fuzzing is an automated method of testing software for certain types of bugs.  Specifically, it’s used to see how the software reacts to invalid inputs.

How does Fuzzing Work?

Many software programs require that a user enter data in a certain format.  For example, a proper name would need to use one format, and numbers could be any of a number of different formats.  A properly designed piece of software should reject any input that isn’t formatted correctly.  Normally, this will work correctly for any datum that’s obviously wrong.  Let’s say that someone were to enter a name into a number field.  Something that obviously wrong would likely get rejected outright.  The real problem is that a datum can sometimes be formatted incorrectly, but still be so close to correct that it would get past the program’s input parser.  

So inputs arriving from the outside (and therefore potentially controllable by an attacker) usually have a certain format, and inputs deviating from this format should be rejected. When coding errors occur, and the rejection of invalid inputs is not perfect, some inputs may lead to unexpected behavior of the program. Fuzzing attempts to discover such malformed inputs automatically, by generating large numbers of random or semi-random inputs and observing the resulting behavior of the program.

How is Fuzzing Useful?

In standard software testing, a program or program unit would be supplied with expected forms of input to verify correct behavior. Fuzzing complements it by detecting bugs that can crash a program or allow malicious actors to either gain control of a computer system or obtain sensitive data.  (These two problems actually go hand-in-hand, because program reliability is another aspect of security.)  
  
An automated fuzzing tool would bombard a program with invalid inputs to see how the program would react.  In order for this to be effective, the fuzzer would need to distinguish normal program behavior from abnormal program behavior.  Abnormal program behavior could be the result of a number of different programming errors such as ones that produce memory leaks, race conditions, and buffer overflows, among others.  

When a fuzzer has completed its test of a program, it should automatically save its findings to a report file.  This file would then be shared with the appropriate personnel.


What are the Types of Fuzzing?

Fuzzing tools can be categorized in several different ways.  For example, we can categorize them by the general fuzzing method used, as shown here:

  • With black-box fuzzing, the fuzzing tool knows nothing about the internal structure of the program that is to be tested.  All it can do is to provide invalid inputs to the program, and observe how the program reacts.  This is the fastest type of fuzzing, but it can miss a lot of problems.  additional definition of patterns for generated inputs in order to increase the changes of hitting corner cases is usually required.
  • With white-box fuzzing, the fuzzing tool uses program analysis techniques to gain knowledge of the program’s internal structure.  This allows the tool to detect the various execution paths that run through the program.  During testing, the tool will follow and test as many of those execution paths as possible.  This type of testing can find more problems than what black box testing can, but it does take a lot longer.
  • Graybox fuzzers use instrumentation techniques, rather than program analysis, to gain knowledge about a program’s structure.  This is faster than white-box fuzzing, but it’s still effective at finding bugs.

Summary

Fuzzing is an important part of the security process.  Software developers and security personnel alike should have a variety of fuzzing tools in their arsenal.