If you have read my blog here before, you might know me from the PROTOS project, and maybe as an author on VoIP security. PROTOS was fun, but it is really far away from real fuzzing. VoIP was definitely fun to break, but there are so many other areas for security analysis also.
Therefore, as a part of my new year resolution to change this blog into a more generic fuzzing blog, I will start by sharing my experiences in the current state of the fuzzing market. Based on a recent study by Gary McGraw and other well known security gurus, all major product security teams apparently use fuzzing (my comments on it here). But most (even security specialists) still seem to misunderstand what fuzzing really is about. So, I will focus on that here also. Enter the world of fuzzing!
Fuzz testing, or fuzzing, originally meant a simple testing technique for feeding random input to applications (see Fuzz by University of Wisconsin, 1990). Today, it is much more optimized. Model-based fuzzing tools have been available since 1999, from research teams such as PROTOS. Fuzzing techniques can basically be divided into three different categories:
- Random fuzzing: has close to zero awareness of the tested interface.
- Block-based fuzzing: breaks the syntax of the tested interface into blocks of data, which it semi-randomly mutates.
- Model-based fuzzing: builds an executable model of the protocol based on protocol specification, which it then uses for generating systematic non-random test cases.
In short, fuzzing is about negative testing, generation on non-conformant messages in order to crash software. The focus is on communication interfaces and on protocols. The failures (crashes, hangs, busy-loops, …) are studied from a risk analysis perspective to see if they are things that need to be fixed. Most discoveries can also be identified as software vulnerabilities.
Just recently I was speaking at a press conference for information security journalists, and I noted that only five out of twenty or more journalists knew what fuzzing is. And these journalists are supposed to educate the market on new security technologies. Fuzzing really is a simple technique to understand, at least the basics of it. But it is not just one technique. Most security people think there is only one way of doing fuzzing, and that any fuzzing is enough ("We already do fuzzing", they always say to me). That is far away from truth. As you hopefully can see, we have a lot of education to do in this domain. Please help me spread the word!
Oh, and if you have not yet participated, you can still enter the competition to win a copy of my recent fuzzing book here. I am still sending out two signed copies, but hurry... only a few more days to go!
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
