Fuzzing

This article was due to content flaws on the quality assurance side of the computer science editorial added. This is done in order to bring the quality of the articles from the subject area of computer science to an acceptable level. Help to eliminate the shortcomings in this article and take part in the discussion ! ( + )

Reason: Please revise the section "Tools / Tools / Software" and do the OMA test - Crazy1880 21:24, Nov. 26, 2010 (CET)

Fuzzing , also known as robustness testing , fuzzy testing or negative testing , is an automated technology for software tests in which the program to be tested is repeatedlysuppliedwith random data at one or more input interfaces. With random data, situations can usually be generated during the operation of the program that cannot be achieved with other test methods. Programs are often not designed for any input data and can then unintentionally crash if the data is not plausible,thusrevealing security gaps ( Vulnerabilities ). Therefore, fuzzing is one of the most important techniques used by security specialists.

The fuzzing ( Fuzz -Testing, after the English word fuzzy for "fuzzy, blurry") was at the University of Wisconsin-Madison developed by Barton Miller and his students 1989th

application

Fuzzing is usuallycarried outin software development projects as part of a black box test in orderto checknew software for susceptibility to errors and to detect any security gaps . In the meantime, this type of test is also sometimes carried out during penetration tests in the IT security area, but this is rare because system crashes are to be expected.

If the program causes a problem with certain data generated by the fuzzer in a reproducible manner (e.g. crashes), the exact cause can be investigated using white box tests .

Fuzz testing is quite effective because the test process is usually automated and runs without a termination criterion, which is why it is often used as part of the test phase . No fixed set of test cases is processed, but more and more variants of data are generated. Consists Once a base (tools, rules, procedures) for the fuzzing ( Fuzz -Testing) existing can fuzz tests (rules / sets) very quickly and easily be expanded as part of the development.

Fuzzing is a method for quality assurance of software, especially to uncover as yet unknown weaknesses and robustness problems in software.

Fuzzing tools

Tools that are specially designed for the project are often required for fuzzing and are therefore often specially made / programmed. In the meantime, however, there is also - in contrast to so-called “frameworks” - tried and tested commercial software. In the case of web applications , you can often fall back on existing tools , because the process, shown in abstract form, is always the same and you have a common interface (HTTP / HTML). Basically anything that has a standardized interface or anything that can be addressed with a protocol can be tested with fuzzing tools.

At this point, klinken fuzzing tools one. There are now good tools for fuzzing browsers and software. With these tools you can generally use software such as As web browser , to control with previously generated invalid data strings / files and unusual program behavior (z. B. crashes, denial of service, degradation of service) provoke, if necessary, log , and later evaluate .

The Security Programmers Group at the University of Oulu in Finland did particularly well in the area of fuzzing. It developed a well-known open source fuzzing tool called PROTOS back in 1996, but PROTOS has not been further developed since 2004. PROTOS is a fuzzer that works with older technologies.

Today, more and more "intelligent" or "stateful" fuzzers are being developed in the commercial environment, which check the interoperability of the system to be tested in advance and then send the fuzzing test set (anomalized data packets) to the target system based on the test results.

Well-known open source frameworks are here z. B. Sulley or Peach. These frameworks are very complex and require extensive knowledge of fuzzing and protocols. Other tools, such as B. Fuzzino, offer a test data generator for fuzzing, are lightweight and therefore easy to integrate into existing test tools or an existing test process. Commercial, intelligent fuzzing tools include: a. beSTORM from BeyondSecurity or Defensics from Codenomicon. Codenomicon's Defensics works with so-called "test cases" that are predefined. BeyondSecurity's “beSTORM” fuzzer, on the other hand, serves every field in the log with n × n anomalies and not with test cases.

The Federal Ministry of Education and Research (BMBF) funded an extensive research project at the Bonn-Rhein-Sieg University of Applied Sciences, in which more than 100 tools for threat modeling and fuzzing were tested and evaluated for their suitability for software tests.

An interactive graphical overview of existing black box, gray box and white box fuzzers, each with their ancestry, can be seen on fuzzing-survey.org.

American Fuzzy Lop

In the field of open source software, the fuzzingtool American Fuzzy Lop ( afl for short ) by Michał Zalewski (the name stands for a breed of rabbits) has prevailed since 2014 . In addition to the actual fuzzer afl-fuzz, there are other auxiliary programs such. B. for test case minimization and test corpus minimization available. By instrumentation of the source code of the program to be tested (sample) in the translator may afl-fuzz seen later, which blocks of the software are executed in a particular test stimulus. This allows afl to be assigned to the category of gray box fuzzers. In connection with the generation of test data according to genetic methods , the fuzzer can generate test data better, which lead to the execution of previously unused code blocks during processing than other fuzzers without this method. As a result, a comparatively high code coverage is achieved after a relatively short time . In fact, the method is able to generate structures in the generated data independently (i.e. without prior information). This property is also used to generate test corpora (collections of test cases) with high test coverage. The advantages of afl-fuzz are the automatic operation (with minimal, simple configuration), the possibility of parallelization with several cores or several computers and the high performance. A file interface is supported for feeding in the data, but currently no network interface.

The DUT reacts particularly sensitively if it was compiled with the runtime extension AddressSanitizer . This extension is available with the compilers clang or clang ++ and gcc or g ++ and monitors memory accesses.

If no source texts are available, afl-fuzz can instrument the test item using QEMU . Since the instrumentation must now take place dynamically, the processing speed in the DUT is lower than with statically compiled instrumentation.

ClusterFuzz

In February 2019, Google released ClusterFuzz, a scalable fuzzing infrastructure.

ClusterFuzz was developed to find errors in Google's Chrome browser and to verify their successful patch . From the start of development in 2012 to February 2019, ClusterFuzz found a total of 16,000 errors in Google Chrome and 11,000 errors in over 160 projects that were integrated in OSS-Fuzz.

literature

H. Pohl: Inexpensive identification of previously unrecognized security gaps with threat modeling, static source code analysis and fuzzing . (PDF; 583 kB)

Web links

Fuzz Testing of Application Reliability . Website of the original developers around Barton Miller (English)
Fuzzing: Breaking software in an automated fashion . Lecture at the 22nd Chaos Communication Congress, 2005
Felix Schmidt: What the Fuzz (explanation and overview) mwrinfosecurity.com, January 23, 2019
american fuzzy lop open source fuzzing tool
fuzzing-survey.org

Individual evidence

↑ http://pages.cs.wisc.edu/~bart/fuzz/ (PDF) Call for proposals from the University of Wisconsin, Madison 1988 (Project 1 is the Fuzz Project)
↑ googleonlinesecurity.blogspot.com
↑ ee.oulu.fi
↑ inf.h-brs.de
↑ golem.de
↑ LWN article on American Fuzzy Lop (English)
↑ White Paper on American Fuzzy Lop (English)
↑ Blog entry by American Fuzzy Lop author Michał Zalewski (English) This describes how increasingly complex JPEG images develop when fuzzing with American Fuzzy Lop
↑ Example for detecting the Heartbleed bug. golem.de
↑ Example for Address Sanitizer. The fuzzing Project (English)
^ Fuzzing for Security. April 26, 2012, accessed May 11, 2019 .
↑ Open sourcing ClusterFuzz. February 7, 2019, accessed on May 11, 2019 .

[1] ttp://pages.cs.wisc.edu/~bart/fuzz/ (PDF) Call for proposals from the University of Wisconsin, Madison 1988 (Project 1 is the Fuzz Project)

[2] security.blogspot.com

[3] .oulu.fi

[4] .h-brs.de

[5] .de

[6] LWN article on American Fuzzy Lop (English)

[7] White Paper on American Fuzzy Lop (English)

[8] Blog entry by American Fuzzy Lop author Michał Zalewski (English) This describes how increasingly complex JPEG images develop when fuzzing with American Fuzzy Lop

[9] Example for detecting the Heartbleed bug. golem.de

[10] Example for Address Sanitizer. The fuzzing Project (English)

[11] Fuzzing for Security. April 26, 2012, accessed May 11, 2019 .

[12] Open sourcing ClusterFuzz. February 7, 2019, accessed on May 11, 2019 .