The Fundamentals of Fuzz Testing
Organizations are increasingly adopting more security practices to ensure the quality and robustness of their applications. One of the challenges that remain unaddressed is finding unknown or zero-day vulnerabilities. Most tools today focus on finding vulnerabilities through known attack patterns or querying vulnerability databases. In September 2021, ForAllSecure hosted a webinar on the fundamentals of fuzz testing.
Alexander Brewer, ForAllSecure Solutions Engineer, helps organizations learn how to uncover critical unknown vulnerabilities in code with a technique known as fuzzing. Listed below are the top three takeaways from The Fuzzing Fundamentals with Mayhem webinar.
What is Fuzz Testing?
Fuzz testing is a dynamic application security testing (DAST) technique for negative testing. It operates by sending malformed inputs to applications with the objective of triggering bad behaviors, such as crashes, infinite loops, and/or memory leaks. These anomalous behaviors are often a sign of a previously unknown underlying software vulnerability.
According to researchers, the most efficient technique for uncovering some of the most infamous vulnerabilities such as Heartbleed is a robust series of negative testing (i.e. fuzz testing).
Finding Vulnerabilities In Software Is Like Exploring A Maze
“In computer science, code often represents programs as ordered trees. Traversing the paths of each tree could be seen as traversing the paths of the maze, where some inputs result in correct behavior, some inputs go nowhere at all, and some inputs result in bad behavior. Those inputs can be thought of as directions in the maze, and when the program executes, it begins to follow the directions of the maze,” says Brewer.
However, the biggest challenge is exploring the maze efficiently. This is where the concept of minimum set comes into play. Minimum set is valuable because it is the minimum set of inputs needed to cover every behavior that the program exhibits. This capability is key for efficient and effective analysis, a desirable feature as organizations move towards CI/CD.
Fuzz Testing Is Happening All Around Us
Believe it or not, fuzz testing happens all the time.
- It might happen unintentionally, for example when a user erroneously tries to use a program in a way that it was not intended to be used - these are robustness or safety concerns.
- It might happen maliciously, in the case that a bad actor intentionally sends malformed input that they know will cause the program to fail or crash in some way - this is a security concern.
Fuzz testing allows testers to answer the following question before attackers are given the chance: If the adversaries were going to try to break your system, how would they do it? What could they possibly find? What would they exploit?
Interested in watching the full session? The Fuzzing Fundamentals training is available every other month. Keep an eye out on our Event page here for the next session.