Fuzz testing is an effective technique for uncovering serious defects in software. From the Heartbleed vulnerability in 2014 to the infamous Jeep Cherokee hacking in 2015, fuzz testing is the technique that has made many high-profile discoveries possible. Consistently, fuzzing is proven to be a powerful tool for ensuring the safety, security, and resiliency of software. Yet, this three decade year old technique, which has shown rapid evolution, remains largely unused.
History has shown the future of technology makes its breakthrough years before it becomes mainstream. The advent of bleeding-edge technology is hardly about whether it’s technically possible, but rather whether it’s reasonably accessible. Fuzzing is a technique that remains exclusive to tech behemoths, such as Google, Microsoft, Apple, and Amazon, who have padded budgets and reach to world-class experts.
At ForAllSecure, we believe organizations should have access to the tools they need to build safe, secure, reliable software. With Mayhem, our mission is to make this powerful technique available to the many, rather than the few, by lowering the three most common technical barriers to entry. Here’s how we’re doing it.
Systematic approach to fuzz testing
The quality of results users get from fuzzing is highly dependent on a well-built tool that takes a strategic and intelligent approach. When organizations attempt to bring fuzzing in their organization, most opt for the most cost-effective: random fuzzing. Random fuzzing is widely perceived to be the worst means to fuzz testing. An enlightened few may pursue fuzzing through coverage guided generational fuzzing, the newest and most advanced fuzzing approach. However, most hit a technical hurdle when they realize that they must possess the skills of both a computer scientist and a security researcher -- a remarkably unique cross-section -- to properly operate this advanced fuzzing technique.
Mayhem builds on the tried-and-true methods of coverage guided fuzzing by combining it with the ingenuity of symbolic execution, patented technology from a decade of research at Carnegie Mellon University. Symbolic execution has the capability to mathematically reason for conditional functions within code, allowing the guided fuzzer to efficiently reach deeper into software. Its systematic and thorough approach enables Mayhem to uncover at least 25% more defects than using coverage guided fuzzing alone.
As Mayhem traverses through software, it’s capable of obtaining knowledge of its software-under-test (SUT) over time. Mayhem takes in feedback from its targets to influence the autonomous generation of future test cases, increasing the likelihood of uncovering deeper defects. This approach offers scalability advantages over manual penetration testing efforts and enables both security and development teams to less time on tedious vulnerability management efforts.
Integration into CICD pipelines
At its core, fuzz testing aims to bombard software with unexpected input. This practice is known as negative testing. The purpose of negative testing is to ensure the application remains stable in unexpected use cases. While simple in concept, execution proves to be much more complex. The greatest challenge with negative testing is that there is an infinite combination of invalid inputs to test. It is impossible to test all the possible ways to misuse an application before it is deployed. This is where fuzzing can provide tremendous relief. Fuzz testing shrinks this “infinite space” problem with machine automation.
Despite this strength, ironically one of the largest technical limitations to fuzzing is the inability to integrate it into DevOps pipelines. Before each test run, fuzzing requires a manual process known as harnessing for target selection or component isolation, adding considerable development slow down. On the other hand, Mayhem is able to ingest whole docker applications without any changes to source. This enables not only automates target selection and component isolation, but also adds workflow for ease-of-use, allowing fuzzing to automatically kicks off and operate quietly in the background as a part of the continuous build process.
We believe that false-positives are the antithesis of continuous development, so we’ve ensured Mayhem has a zero false-positive rate. To protect developer productivity, we validate each finding three times, so developers are only pulled away for reproducible issues within their code. Mayhem shares test cases to all of its findings as proof of defect. The collection of test cases not only help verify fixes, but are also automatically used for regression testing to ensure previously discovered defects aren’t reintroduced.
Fuzzing solutions are typically dynamic application security testing (DAST) solutions -- meaning they are able to analyze applications without access to source code. An offensive approach has many advantages, including being able to approach testing through the lens of a hacker or having a higher accuracy rate. One of the drawbacks, however, is that the fuzzer provides descriptive system-level information, describing the issue rather than prescribing a clear path to remediation. Mayhem is able to provide detailed remediation guidance -- down to the line of affected code -- as well as defect deduplication and categorization, allowing them to quickly prioritize efforts.
On a micro level these technical capabilities may seem like they address niche problems. On a macro level, however, these technical capabilities dramatically improve usability, addressing some of the most necessary organizational needs. You might have heard us say: ForAllSecure Mayhem is an intelligent, highly-accurate continuous fuzz testing solution that autonomously discovers and validates defects as a part of CICD workflows.
We mean it.
Interested in learning more about fuzzing? Listen to industry fuzzing experts -- Jared DeMott, VDA Labs; Chris Clark, Synopsys; and Billy Rios, WhiteScope -- share their experiences working fuzzing and the observations they’ve made while helping organizations harness the power of fuzzing. Watch the webinar here.