Fuzz Testing

According to fuzzing.info, the term “fuzz” was created by Professor Barton Miller in the 1980s. Logged into a UNIX system via a dial-up network during a storm, Miller noticed considerable interference on the signal. The interference ultimately resulted in a crash. Miller later had his students perform a simulation of his experience using a fuzz generator to bombard UNIX systems with noise to see if they would crash.

The basic premise of fuzz testing is to introduce intentionally malformed inputs into a system to identify failures. A fuzzer has three key components: A poet that creates the malformed inputs or test cases, a courier that delivers test cases to the target software, and an oracle that detects if a failure has occurred in the target.

The process starts with the poet, which creates test cases to try on the target software. The test cases can be random, template evolutionary, or generational. Random fuzzing involves random data being inserted into the system. Template evolutionary fuzzing introduces anomalies into valid inputs, and then takes feedback about the system’s behavior during initial tests to make subsequent tests more effective and varied. And generational test cases are based on an understanding of the protocol, file format, or API that is being testing—the tests know the rules of the system. Because of this, generational fuzz testing can systematically break all the rules.

Next, the courier delivers the test cases. The delivery method varies greatly depending upon the type of fuzzing to be performed, but the end goal is always the same: deliver the tests to the target.

Finally, the oracle determines whether a test case has passed or failed. The oracle checks the target system to see whether any form of failure has occurred. Knowing about a failure is critical—without this information, testers cannot reproduce the failure, examine it, and determine a fix for it.

Fuzz testing offers a wide range of benefits to a security and quality program.

• Fuzzing provides a good overall picture of the quality of the target system and software. Using fuzzing, you can easily gauge the robustness and security risk posture of the system and software under test.
• Fuzzing is the primary technique used by malicious hackers to find software vulnerabilities. Using it in your security program helps you prevent zero-day exploits from unknown bugs and weaknesses in your system.
• Fuzzing has a low overhead for both cost and time. Once a fuzzer is up and running, it can start to look for bugs on its own, with no manual/human intervention, and can continue to do so for as long as needed.
• Fuzzing helps uncover bugs that would not have been detected through conventional testing methods or manual audits.

Often, open source fuzzers present various challenges. 

• Open source fuzzers may not find all bugs, especially if the bugs don’t trigger a full program crash, or if the bugs are only triggered in well-defined and highly specific circumstances.
• Open source fuzzers are, by definition, an opaque-box testing method. This makes it hard to reproduce and analyze test results, as open source fuzzers don’t provide additional insights into how the software operates internally.
• Software programs with complex inputs require advanced and intelligent fuzzers that can provide the thorough and complete test coverage needed to secure the software.

Industry-leading Defensics® fuzz tester by Synopsys is a comprehensive automated solution that empowers organizations to intelligently test their software, effortlessly uncovering and addressing unknown vulnerabilities and weaknesses without compromising the safety and quality performance of their products. The power of Defensics is its deep understanding of protocols, file formats, and network and target interfaces, which enables it to apply true intelligence that shrinks the number of nonfunctional test cases to a critical, manageable few. With Defensics you get both the breadth and depth of fuzzing coverage you need.

Defensics leads the market with key functionalities.

Generational testing. The Defensics catalog of intelligent test suites covers all technology stacks and industries, and all organization sizes. Defensics incorporates an advanced algorithm that is unique to the industry to increase testing coverage and produce results with high accuracy. Using Defensics’ generational testing capabilities, you can identify and tackle vulnerabilities that confound traditional and open source fuzzers. Defensics offers over 250 prebuilt protocol test suites, so you don’t have to create manual tests. Synopsys continually updates available test suites for new input types, specifications, and RFCs. Additionally, you can leverage the Defensics SDK to support testing of your proprietary custom protocols. It can customize any of our test suites, and the data sequence editor can cover corner cases not already within Defensics’ predefined scope.

Protocol testing coverage. Defensics is one of few commercial fuzzers with the breadth of protocol testing coverage needed to effectively secure your software. Synopsys supports more protocols, more interfaces, and more RFCs than any tool on the market (nearly 300). As the first, time-tested commercial fuzzer available, Defensics has extensive real-world security experience and benefits from years of security research that engineers have built into the Defensics engine. The result is a solution you can trust.

Broad coverage. The Internet of Things and 5G are revolutionizing many industries, but this new world of opportunity also brings an environment ripe for novelty attacks. With Defensics, you can test software and devices using 5G and 4G LTE networks to identify improper handling of procedures, invalid integrity protection, and insufficient security. See our recent white paper on how Defensics helps secure these emerging technologies.