January 19, 2009, 9:18 AM — If you have read my blog here before, you might know me from the PROTOS project, and maybe as an author on VoIP security. PROTOS was fun, but it is really far away from real fuzzing. VoIP was definitely fun to break, but there are so many other areas for security analysis also.
Therefore, as a part of my new year resolution to change this blog into a more generic fuzzing blog, I will start by sharing my experiences in the current state of the fuzzing market. Based on a recent study by Gary McGraw and other well known security gurus, all major product security teams apparently use fuzzing (my comments on it here). But most (even security specialists) still seem to misunderstand what fuzzing really is about. So, I will focus on that here also. Enter the world of fuzzing!
Fuzz testing, or fuzzing, originally meant a simple testing technique for feeding random input to applications (see Fuzz by University of Wisconsin, 1990). Today, it is much more optimized. Model-based fuzzing tools have been available since 1999, from research teams such as PROTOS. Fuzzing techniques can basically be divided into three different categories:
- Random fuzzing: has close to zero awareness of the tested interface.
- Block-based fuzzing: breaks the syntax of the tested interface into blocks of data, which it semi-randomly mutates.
- Model-based fuzzing: builds an executable model of the protocol based on protocol specification, which it then uses for generating systematic non-random test cases.
In short, fuzzing is about negative testing, generation on non-conformant messages in order to crash software. The focus is on communication interfaces and on protocols. The failures (crashes, hangs, busy-loops, …) are studied from a risk analysis perspective to see if they are things that need to be fixed. Most discoveries can also be identified as software vulnerabilities.
Just recently I was speaking at a press conference for information security journalists, and I noted that only five out of twenty or more journalists knew what fuzzing is. And these journalists are supposed to educate the market on new security technologies. Fuzzing really is a simple technique to understand, at least the basics of it. But it is not just one technique. Most security people think there is only one way of doing fuzzing, and that any fuzzing is enough ("We already do fuzzing", they always say to me). That is far away from truth. As you hopefully can see, we have a lot of education to do in this domain. Please help me spread the word!
Oh, and if you have not yet participated, you can still enter the competition to win a copy of my recent fuzzing book here. I am still sending out two signed copies, but hurry... only a few more days to go!