Many developers are already familiar with fuzz testing. But if you are kind of new to this topic, this article covers frequently asked questions (FAQs) you may have about fuzzing.
Fuzzing is a dynamic testing method used for identifying bugs and vulnerabilities in software. It is mainly used for security and stability testing of the codebase. The software under test is fed with a series of inputs, which are purposefully mutated in the testing process.
The fuzzer then gets feedback about the code covered during the execution of inputs. Unlike security testing with just randomized inputs, feedback-based fuzzing explores the program state efficiently and discovers all kinds of bugs hidden deep within the code.
There are some characteristics that make fuzzing extremely useful for security testing. Here is why:
Modern fuzzing engines use smart algorithms tailoring the input to increase the amount of code that is tested with the fuzzer. The commonly used term for this is feedback-driven or feedback-based fuzzing.
Feedback-based fuzzing uses code coverage information when generating new inputs. Due to measuring code coverage, the fuzzer can monitor which parts of the program were reached with a given input and reach other program parts by generating similar inputs with random but small changes.
For a better understanding of fuzz testing, an important to discuss is the anatomy of a fuzzer.
One significant puzzle is a fuzz target, which is a small program that tests predefined API functions, similar to unit tests. However, the inputs are not provided by the developer but produced with a fuzz generator.
Besides the fuzz targets, there are fuzz generators. They are responsible for creating random mutations of inputs that are sent to the software under test (SUT). The output of a fuzz generator (i.e. random inputs) is then sent to the SUT. The delivery mechanism processes inputs from fuzz generator and feeds them to SUT for execution.
Finally, the monitoring system keeps track of how the inputs are executed within SUT and detects triggered bugs. The monitoring system plays a critical part in the fuzzing process as it also influences what types of vulnerabilities can be discovered during fuzzing.
If you are looking for a way to secure your software, there are a variety of testing approaches, such as Static Applications Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and Feedback-based Application Security Testing (FAST). Each of these methods has its advantages and disadvantages. We have collected some of them in the table below.
Comparing testing approaches (click to enlarge)
Fuzz testing can help developers find all kinds of security vulnerabilities. The most common bugs are listed below:
White-box fuzzing analyzes the internal structure of the program. With each new fuzzing run, white-box fuzzers learn to track and maximize code coverage. They usually use intelligent instrumentation and adaptable algorithms, which makes them more effective and accurate in detecting vulnerabilities.
Black-box fuzzing generates inputs for a target program without knowledge of its internal behaviour or implementation. A black-box fuzzer may generate inputs from scratch, or rely on a static corpus of valid input files to base mutations on. Unlike coverage-guided approaches and white-box fuzzing, the corpus does not grow here.
Black-box fuzzing vs. white-box fuzzing (click to enlarge)
Developers can benefit from a whole range of open-source fuzzing tools. They are often specialized for specific use cases (e.g. Kernel fuzzing) or programming languages. But there are also a few commercial solutions that become relevant if you're working in larger development teams or DevOps environments. Usually they come with more integrations and features, such as automated bug reporting, CI/CD and dev tool integration, Web API fuzzing, or OWASP vulnerability detection.
Fuzzing for DevOps Teams
If you are interested in an enterprise fuzzing solution, our fuzzing platform CI Fuzz might be just the right thing for you. CI Fuzz can easily be integrated into your CI/CD, where it enables developers to fuzz and debug your code continuously.
This article summarized the basics of fuzz testing. Now you'll probably want to get hands-on experience yourself. But where to start? I would recommend beginning with fuzzing a couple of open-source projects first. This way, you can familiarize yourself with the technology and contribute to the community.
You can follow this tutorial by Patrick Ventuzelo, who fuzzed a popular open-source project (JSoup), with Jazzer, a coverage guided fuzzer for JVM based languages (Java, Kotlin, etc.).