Why Use Mayhem?

Mayhem is an Application Security Testing platform for developers and security practitioners alike to collaborate and easily organize, manage, and test their applications for defects and security vulnerabilities.

At its core, Mayhem uses an advanced fuzzer that analyzes a running Linux process and combines the tried-and-true methods of instrumentation-guided fuzzing with the ingenuity of symbolic execution.

Tip:  Check out The Science Behind Mayhem for an easy-to-understand breakdown of Mayhem and its instrumentation-guided fuzzing and symbolic execution capabilities.

What is Fuzzing?

Fuzzing, or fuzz testing, is a software testing technique that injects random data as inputs to an application to monitor and detect bugs/defects related to program failures or crashes. The application will re-run continuously, each with differing inputs, to attempt to cover as much of the underlying code as possible and seek out edge cases that may result in a crash.

Let's look at a basic example of how this works!

Fuzzing a Vulnerable Application

When you first learn to program, you print out Hello World!; when you first learn to fuzz, you try to find bugs and create test suites for the testme application.

Test suites are collections of various test cases that are used to input and run differing parts of a target application. Therefore, if a defect is found for a target application, a resulting test case will be saved that can be used to re-create the defect scenario.

Let's see how this works by taking a look at the source code of our first vulnerable app, testme:

#include <stdio.h>
#include <string.h>
int fuzzme(char *buf)
{
  if(buf[0] == 'b')
    if(buf[1] == 'u')
      if(buf[2] == 'g') {
       abort(); // Defect: Sends a SIGABRT signal
     }
  return 0;
}
int main(int argc, char *argv[])
{
  FILE *f;
  char buf[12];
  if(argc != 2){
    fprintf(stderr, "Must supply a text file\n");
    return -1;
  }
  f = fopen(argv[1], "r");
  if(f == NULL){
    fprintf(stderr, "Could not open %s\n", argv[1]);
    return -1;
  }
  if(fgets(buf, sizeof(buf), f) == NULL){
    fprintf(stderr, "Could not read from %s\n", argv[1]);
    return -1;
  }
  fuzzme(buf);
  return 0;
}

‍

Here we see that the testme application contains two functions: main and fuzzme

main function indicates that when a file is properly supplied as an argument to the testmeapplication, it will invoke the fuzzme function in which the file contents are parsed character by character. If the contents of the given file input spells out "bug", then an abort()function will occur and consequently crash the program by raising a SIGABRT signal.

The use of the abort() function within the testme application will be classified as the following defect when the test case "bug" is given as a file input:

1. Line 9: CWE-20 - Improper input validation defect.

Running the testme application through Mayhem will automatically find the SIGABRT defect, but also create a test suite, or set of inputs, that exercise different code paths.

Note: Code paths within a program that execute due to varying inputs can also be called edges or edges covered. In the context of Mayhem's security testing metrics, Mayhem uses the edge coverage metric, which measures how many control flow graph edges have been exercised. More formally, consider a control flow graph where each node is a program statement, and two nodes are connected only if there is potential control flow between them. Edge coverage measures the number of edges exercised by the test suite.

Development Speed or Code Security. Why Not Both?

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem Free Request A Demo

For example, imagine a test suite with the four following inputs passed into our testme program:

1. mom would execute the false branch on line 6, returning 0.
2. bob would execute the true branch on line 6 and the false branch on line 7, returning 0.
3. bun would execute the true branches on lines 6-7 and the false branch on line 8, returning 0.
4. bug would execute the true branches on lines 6-8, returning the SIGABRT defect.

The set of inputs, {mom, bob, bun,, and bug}, execute every branch of the program, and as a result, makes an excellent test suite!

In fact, if you had a test suite that covered every code path, you would trigger every possible defect. While we know that testing every code path for every program is impossible, the goal of Mayhem is to test as many code paths as possible, given the time allotted.

Your packaged target application will then be uploaded to the Mayhem server and fuzzed for security testing! Generated test cases can then be synced from the Mayhem server back to the client machine.