Fuzzing: Difference between revisions
m I edited the table of popular fuzzers by adding a column for compatibility. I added several open source fuzzers to the list of popular fuzzers and details for them: cifuzz, OSS-fuzz, wfuzz. I added links to the repositories for the code and citations. Tags: Reverted Visual edit |
sp |
||
(43 intermediate revisions by 32 users not shown) | |||
Line 1: | Line 1: | ||
{{Short description|Automated software testing technique}} |
{{Short description|Automated software testing technique}} |
||
⚫ | |||
[[File:American_fuzzy_lop's_afl-fuzz_running_on_a_test_program.png | thumb | right]] |
|||
In [[Computer programming|programming]] and [[software development]], '''fuzzing''' or '''fuzz testing''' is an automated [[software testing]] technique that involves providing invalid, unexpected, or [[random data]] as inputs to a [[computer program]]. The program is then monitored for exceptions such as [[crash (computing)|crashes]], failing built-in code [[assertion (software development)|assertions]], or potential [[memory leak]]s. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, |
In [[Computer programming|programming]] and [[software development]], '''fuzzing''' or '''fuzz testing''' is an automated [[software testing]] technique that involves providing invalid, unexpected, or [[random data]] as inputs to a [[computer program]]. The program is then monitored for exceptions such as [[crash (computing)|crashes]], failing built-in code [[assertion (software development)|assertions]], or potential [[memory leak]]s. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, such as in a [[file format]] or [[communications protocol|protocol]] and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose [[corner case]]s that have not been properly dealt with. |
||
For the purpose of security, input that crosses a [[trust boundary]] is often the most useful.<ref name="neystadt"/> For example, it is more important to fuzz code that handles |
For the purpose of security, input that crosses a [[trust boundary]] is often the most useful.<ref name="neystadt"/> For example, it is more important to fuzz code that handles a file uploaded by any user than it is to fuzz the code that parses a configuration file that is accessible only to a privileged user. |
||
==History == |
==History == |
||
The term "fuzz" originates from a |
The term "fuzz" originates from a 1988 class project<ref name="fuzz-cs736"/> in the graduate Advanced Operating Systems class (CS736), taught by Prof. Barton Miller at the [[University of Wisconsin–Madison|University of Wisconsin]], whose results were subsequently published in 1990.<ref name="fuzz1990"/><ref name="forward-fuzz-testing">{{cite web |
||
| url = https://pages.cs.wisc.edu/~bart/fuzz/Foreword1.html |
|||
| title = Foreword for Fuzz Testing Book |
|||
| last = Miller |
|||
| first = Barton |
|||
| date = April 2008 |
|||
| website = UW-Madison Computer Sciences |
|||
| access-date = 29 March 2024 |
|||
}}</ref> To fuzz test a [[UNIX]] utility meant to automatically generate random input and command-line parameters for the utility. The project was designed to test the reliability of UNIX command line programs by executing a large number of random inputs in quick succession until they crashed. Miller's team was able to crash 25 to 33 percent of the utilities that they tested. They then debugged each of the crashes to determine the cause and categorized each detected failure. To allow other researchers to conduct similar experiments with other software, the source code of the tools, the test procedures, and the raw result data were made publicly available.<ref name="AutoDO-2"/> This early fuzzing would now be called black box, generational, unstructured (dumb or "classic") fuzzing. |
|||
According to Prof. Barton Miller, "In the process of writing the project description, I needed to give this kind of testing a name. I wanted a name that would evoke the feeling of random, unstructured data. After trying out several ideas, I settled on the term fuzz."<ref name="forward-fuzz-testing" /> |
|||
This 1990 fuzz paper also noted the relationship of reliability to security: "Second, one of the bugs that we found was caused by the same programming practice that provided one of the security holes to the Internet worm (the 'gets finger' bug). We have found additional bugs that might indicate future security holes." (Referring to the [[Morris worm]] of November 1988.) |
|||
A key contribution of this early work was simple (almost simplistic) oracle. A program failed its test if it crashed or hung under the random input and was considered to have passed otherwise. While test oracles can be challenging to construct, the oracle for this early fuzz testing was simple and universal to apply. |
|||
The original fuzz project went on to make contributions in 1995, 2000, 2006 and most recently in 2020: |
|||
* 1995:<ref name="fuzz1995"/> The "fuzz revisited" paper consisted of four parts. |
|||
*# Reproduced the original command line study, including a wider variety of UNIX systems and more utilities. The study showed that, if anything, reliability had gotten worse. This was the first study that included open source [[GNU]] and [[Linux]] utilities that, interestingly, were significantly more reliable than those from the commercial UNIX systems. |
|||
*# Introduced the fuzz testing of GUI (window based) applications under X-Windows. This study used both unstructured and structured (valid sequences of mouse and keyboard events) input data. They were able to crash 25% of the X-Windows applications. In addition, they tested the X-Windows server and showed that it was resilient to crashes. |
|||
*# Introduced fuzz testing of network services, again based on structured test input. None of these services had crashed. |
|||
*# Introduced random testing of system library call return values, specifically randomly returning zero from the malloc family of functions. Almost half the standard UNIX programs failed to properly check such return values. |
|||
* 2000:<ref name="fuzz2000"/> Applied fuzz testing to the recently released [[Windows NT]] operating system, testing applications that ran under the [[Win32]] window system. They were able to crash 21% of the applications and hang an additional 24% of those tested. Again, applications were testing with both unstructured and structured (valid keyboard and mouse events) input, crashing almost half of those applications that they tested. They identified the causes of the failures and found them to be similar to previous studies. |
|||
* 2001:<ref>{{cite web|url=https://pages.cs.wisc.edu/~blbowers/fuzz-2001.pdf|title=An Inquiry into the Stability and Reliability of UNIX Utilities|website=cs.wisc.edu|access-date=3 March 2023}}</ref> Applied fuzz testing to 87 UNIX utilities under two popular UNIX variants, a GNU/Linux platform and a Solaris platform, crashing 29% on SunOS 1990 but only 4% on Red Hat 6.2 of those tested. The most common failure mode was pointer arithmetic, followed by not checking return codes, and using older (dangerous) input functions. |
|||
* 2006:<ref name="fuzz2006"/> Applied fuzz testing to [[Mac OS X]], for both command line and window based applications. They tested 135 command line utility programs, crashing 7% of those tested. In addition, they tested 30 applications that ran under the MacOS [[Aqua (user interface)|Aqua]] window system, crashing 73% of those tested. |
|||
* 2020:<ref name="fuzz2020"/> Most recently, they applied the classic generational, black box, unstructured testing to current UNIX systems, specially Linux, [[FreeBSD]] and MacOS, to see if the original techniques were still relevant and if current utility programs were resistant to this type of testing. They tested approximately 75 utilities on each platform, with failure rates of 12% on Linux, 16% on MacOS and 19% on FreeBSD. (Note that these failure rates were ''worse'' than the results from earlier test of the same systems.) When they analyzed each failure and categorized them, they found that the classic categories of failures, such as pointer and array errors and not checking return codes, were still broadly present in the new results. In addition, new failure causes cropped up from complex program state and algorithms that did not scale with the input size or complexity. They also tested UNIX utilities written more recently in Rust and found that they were of similar reliability to the ones written in C, though (as expected) less likely to have memory errors. |
|||
In April 2012, Google announced ClusterFuzz, a cloud-based fuzzing infrastructure for security-critical components of the [[Chromium web browser]].<ref name="clusterfuzz"/> Security researchers can upload their own fuzzers and collect bug bounties if ClusterFuzz finds a crash with the uploaded fuzzer. |
In April 2012, Google announced ClusterFuzz, a cloud-based fuzzing infrastructure for security-critical components of the [[Chromium web browser]].<ref name="clusterfuzz"/> Security researchers can upload their own fuzzers and collect bug bounties if ClusterFuzz finds a crash with the uploaded fuzzer. |
||
In September 2014, [[Shellshock (software bug)|Shellshock]]<ref name="NYT-20140925-NP">{{cite news |last=Perlroth |first=Nicole |title=Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant |url=https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html |date=25 September 2014 |work=[[The New York Times]] |access-date=25 September 2014}}</ref> was disclosed as a family of [[security bug]]s in the widely used [[UNIX]] [[Bash (Unix shell)|Bash]] [[shell (computing)|shell]]; most vulnerabilities of Shellshock were found using the fuzzer [[american fuzzy lop (fuzzer)|AFL]].<ref>{{cite web|url=http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html|title=Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78)|date=1 October 2014|website=lcamtuf's blog|last1=Zalewski|first1=Michał|access-date=13 March 2017}}</ref> (Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to [[arbitrary code execution|execute arbitrary commands]]. This can allow an attacker to gain unauthorized access to a computer system.<ref name="ZDN-20140929">{{cite web|last=Seltzer |first=Larry |title=Shellshock makes Heartbleed look insignificant |url= |
In September 2014, [[Shellshock (software bug)|Shellshock]]<ref name="NYT-20140925-NP">{{cite news |last=Perlroth |first=Nicole |title=Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant |url=https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html |date=25 September 2014 |work=[[The New York Times]] |access-date=25 September 2014}}</ref> was disclosed as a family of [[security bug]]s in the widely used [[UNIX]] [[Bash (Unix shell)|Bash]] [[shell (computing)|shell]]; most vulnerabilities of Shellshock were found using the fuzzer [[american fuzzy lop (fuzzer)|AFL]].<ref>{{cite web|url=http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html|title=Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78)|date=1 October 2014|website=lcamtuf's blog|last1=Zalewski|first1=Michał|access-date=13 March 2017}}</ref> (Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to [[arbitrary code execution|execute arbitrary commands]]. This can allow an attacker to gain unauthorized access to a computer system.<ref name="ZDN-20140929">{{cite web|last=Seltzer |first=Larry |title=Shellshock makes Heartbleed look insignificant |url=https://www.zdnet.com/article/shellshock-makes-heartbleed-look-insignificant/ |date=29 September 2014 |publisher=[[ZDNet]] |access-date=29 September 2014}}</ref>) |
||
In April 2015, Hanno Böck showed how the fuzzer AFL could have found the 2014 Heartbleed vulnerability.<ref>{{cite web|last1=Böck|first1=Hanno|title=Fuzzing: Wie man Heartbleed hätte finden können (in German)|url=http://www.golem.de/news/fuzzing-wie-man-heartbleedhaette-finden-koennen-1504-113345.html|website=Golem.de|access-date=13 March 2017|language=de-DE}}</ref><ref>{{cite web|last1=Böck|first1=Hanno|title=How Heartbleed could've been found (in English)|url=https://blog.hboeck.de/archives/868-How-Heartbleed-couldve-been-found.html|website=Hanno's blog|access-date=13 March 2017}}</ref> (The [[Heartbleed]] vulnerability was disclosed in April 2014. It is a serious vulnerability that allows adversaries to decipher otherwise [[encrypted communication]]. The vulnerability was accidentally introduced into [[OpenSSL]] which implements [[Transport Layer Security|TLS]] and is used by the majority of the servers on the internet. [[Shodan (website)|Shodan]] reported 238,000 machines still vulnerable in April 2016;<ref>{{cite web|url=https://www.shodan.io/report/89bnfUyJ|title=Search engine for the internet of things – devices still vulnerable to Heartbleed|website=shodan.io|access-date=13 March 2017}}</ref> 200,000 in January 2017.<ref>{{cite web|url=https://www.shodan.io/report/DCPO7BkV|title=Heartbleed Report (2017-01)|website=shodan.io|access-date=10 July 2017}}</ref>) |
In April 2015, Hanno Böck showed how the fuzzer AFL could have found the 2014 Heartbleed vulnerability.<ref>{{cite web|last1=Böck|first1=Hanno|title=Fuzzing: Wie man Heartbleed hätte finden können (in German)|url=http://www.golem.de/news/fuzzing-wie-man-heartbleedhaette-finden-koennen-1504-113345.html|website=Golem.de|access-date=13 March 2017|language=de-DE}}</ref><ref>{{cite web|last1=Böck|first1=Hanno|title=How Heartbleed could've been found (in English)|url=https://blog.hboeck.de/archives/868-How-Heartbleed-couldve-been-found.html|website=Hanno's blog|access-date=13 March 2017}}</ref> (The [[Heartbleed]] vulnerability was disclosed in April 2014. It is a serious vulnerability that allows adversaries to decipher otherwise [[encrypted communication]]. The vulnerability was accidentally introduced into [[OpenSSL]] which implements [[Transport Layer Security|TLS]] and is used by the majority of the servers on the internet. [[Shodan (website)|Shodan]] reported 238,000 machines still vulnerable in April 2016;<ref>{{cite web|url=https://www.shodan.io/report/89bnfUyJ|title=Search engine for the internet of things – devices still vulnerable to Heartbleed|website=shodan.io|access-date=13 March 2017}}</ref> 200,000 in January 2017.<ref>{{cite web|url=https://www.shodan.io/report/DCPO7BkV|title=Heartbleed Report (2017-01)|website=shodan.io|access-date=10 July 2017|archive-date=23 January 2017|archive-url=https://web.archive.org/web/20170123161742/https://www.shodan.io/report/DCPO7BkV|url-status=dead}}</ref>) |
||
In August 2016, the [[Defense Advanced Research Projects Agency]] (DARPA) held the finals of the first [[Cyber Grand Challenge]], a fully automated [[capture the flag (cybersecurity)|capture-the-flag]] competition that lasted 11 hours.<ref name="cgc">{{cite web|url=http://www.darpa.mil/program/cyber-grand-challenge |title= DARPA Cyber Grand Challenge |last=Walker |first=Michael |website=darpa.mil |access-date=12 March 2017}}</ref> The objective was to develop automatic defense systems that can discover, [[exploit (computer security)|exploit]], and [[automatic bug fixing|correct]] software flaws in [[real-time computing|real-time]]. Fuzzing was used as an effective offense strategy to discover flaws in the software of the opponents. It showed tremendous potential in the automation of vulnerability detection. The winner was a system called "Mayhem"<ref name="2016 results">{{cite web|url=http://www.darpa.mil/news-events/2016-08-05a |title=Mayhem comes in first place at CGC |access-date=12 March 2017}}</ref> developed by the team ForAllSecure led by [[David Brumley]]. |
In August 2016, the [[Defense Advanced Research Projects Agency]] (DARPA) held the finals of the first [[Cyber Grand Challenge]], a fully automated [[capture the flag (cybersecurity)|capture-the-flag]] competition that lasted 11 hours.<ref name="cgc">{{cite web|url=http://www.darpa.mil/program/cyber-grand-challenge |title= DARPA Cyber Grand Challenge |last=Walker |first=Michael |website=darpa.mil |access-date=12 March 2017}}</ref> The objective was to develop automatic defense systems that can discover, [[exploit (computer security)|exploit]], and [[automatic bug fixing|correct]] software flaws in [[real-time computing|real-time]]. Fuzzing was used as an effective offense strategy to discover flaws in the software of the opponents. It showed tremendous potential in the automation of vulnerability detection. The winner was a system called "Mayhem"<ref name="2016 results">{{cite web|url=http://www.darpa.mil/news-events/2016-08-05a |title=Mayhem comes in first place at CGC |access-date=12 March 2017}}</ref> developed by the team ForAllSecure led by [[David Brumley]]. |
||
Line 37: | Line 36: | ||
At Black Hat 2018, Christopher Domas demonstrated the use of fuzzing to expose the existence of a hidden [[Reduced instruction set computer|RISC]] core in a processor.<ref name ="domas"/> This core was able to bypass existing security checks to execute [[Protection ring|Ring 0]] commands from Ring 3. |
At Black Hat 2018, Christopher Domas demonstrated the use of fuzzing to expose the existence of a hidden [[Reduced instruction set computer|RISC]] core in a processor.<ref name ="domas"/> This core was able to bypass existing security checks to execute [[Protection ring|Ring 0]] commands from Ring 3. |
||
In September 2020, [[Microsoft]] released [[OneFuzz]], a [[self-hosting (web services)|self-hosted]] fuzzing-as-a-service platform that automates the detection of [[software bug]]s.<ref>{{Cite web|url=https://www.zdnet.com/article/microsoft-windows-10-is-hardened-with-these-fuzzing-security-tools-now-theyre-open-source/|title=Microsoft: Windows 10 is hardened with these fuzzing security tools – now they're open source|date=September 15, 2020|website=ZDNet}}</ref> It supports [[Windows]] and Linux.<ref>{{Cite web|url=https://www.infoworld.com/article/3575600/microsoft-open-sources-fuzzing-test-framework.html|title=Microsoft open-sources fuzzing test framework|date=September 17, 2020|website=InfoWorld}}</ref> |
In September 2020, [[Microsoft]] released [[OneFuzz]], a [[self-hosting (web services)|self-hosted]] fuzzing-as-a-service platform that automates the detection of [[software bug]]s.<ref>{{Cite web|url=https://www.zdnet.com/article/microsoft-windows-10-is-hardened-with-these-fuzzing-security-tools-now-theyre-open-source/|title=Microsoft: Windows 10 is hardened with these fuzzing security tools – now they're open source|date=September 15, 2020|website=ZDNet}}</ref> It supports [[Windows]] and Linux.<ref>{{Cite web|url=https://www.infoworld.com/article/3575600/microsoft-open-sources-fuzzing-test-framework.html|title=Microsoft open-sources fuzzing test framework|date=September 17, 2020|website=InfoWorld}}</ref> It has been archived three years later on November 1st, 2023.<ref>{{Citation |title=microsoft/onefuzz |date=2024-03-03 |url=https://github.com/microsoft/onefuzz |access-date=2024-03-06 |publisher=Microsoft}}</ref> |
||
==Early random testing== |
==Early random testing== |
||
Line 69: | Line 68: | ||
Typically, fuzzers are used to generate inputs for programs that take structured inputs, such as a [[computer file|file]], a sequence of keyboard or mouse [[event (computing)|events]], or a sequence of [[message passing|messages]]. This structure distinguishes valid input that is accepted and processed by the program from invalid input that is quickly rejected by the program. What constitutes a valid input may be explicitly specified in an input model. Examples of input models are [[formal grammar]]s, [[file format]]s, [[GUI]]-models, and [[communications protocol|network protocols]]. Even items not normally considered as input can be fuzzed, such as the contents of [[database]]s, [[shared memory]], [[environment variable]]s or the precise interleaving of [[thread (computing)|threads]]. An effective fuzzer generates semi-valid inputs that are "valid enough" so that they are not directly rejected from the [[parser]] and "invalid enough" so that they might stress [[corner case]]s and exercise interesting program behaviours. |
Typically, fuzzers are used to generate inputs for programs that take structured inputs, such as a [[computer file|file]], a sequence of keyboard or mouse [[event (computing)|events]], or a sequence of [[message passing|messages]]. This structure distinguishes valid input that is accepted and processed by the program from invalid input that is quickly rejected by the program. What constitutes a valid input may be explicitly specified in an input model. Examples of input models are [[formal grammar]]s, [[file format]]s, [[GUI]]-models, and [[communications protocol|network protocols]]. Even items not normally considered as input can be fuzzed, such as the contents of [[database]]s, [[shared memory]], [[environment variable]]s or the precise interleaving of [[thread (computing)|threads]]. An effective fuzzer generates semi-valid inputs that are "valid enough" so that they are not directly rejected from the [[parser]] and "invalid enough" so that they might stress [[corner case]]s and exercise interesting program behaviours. |
||
A smart (model-based,<ref name="pham"/> grammar-based,<ref name="AutoDO-14"/><ref name="peach"/> or protocol-based<ref>{{cite conference|title=SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr|url=http://dl.acm.org/citation.cfm?id=2079962|author1=Greg Banks|author2=Marco Cova|author3=Viktoria Felmetsger|author4=Kevin Almeroth|author5=Richard Kemmerer|author6=Giovanni Vigna|publisher=Proceedings of the Information Security Conference (ISC'06)}}</ref>) fuzzer leverages the input model to generate a greater proportion of valid inputs. For instance, if the input can be modelled as an [[abstract syntax tree]], then a smart mutation-based fuzzer<ref name="peach"/> would employ random [[program transformation|transformations]] to move complete subtrees from one node to another. If the input can be modelled by a [[formal grammar]], a smart generation-based fuzzer<ref name="AutoDO-14"/> would instantiate the [[Production (computer science)|production rules]] to generate inputs that are valid with respect to the grammar. However, generally the input model must be explicitly provided, which is difficult to do when the model is proprietary, unknown, or very complex. If a large corpus of valid and invalid inputs is available, a [[grammar induction]] technique, such as [[Dana Angluin|Angluin]]'s L* algorithm, would be able to generate an input model.<ref name="aiken"/><ref name="AutoDO-15"/> |
A smart (model-based,<ref name="pham"/> grammar-based,<ref name="AutoDO-14"/><ref name="peach"/> or protocol-based<ref>{{cite conference|title=SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr|url=http://dl.acm.org/citation.cfm?id=2079962|author1=Greg Banks|author2=Marco Cova|author3=Viktoria Felmetsger|author4=Kevin Almeroth|author4-link=Kevin Almeroth|author5=Richard Kemmerer|author6=Giovanni Vigna|publisher=Proceedings of the Information Security Conference (ISC'06)}}</ref>) fuzzer leverages the input model to generate a greater proportion of valid inputs. For instance, if the input can be modelled as an [[abstract syntax tree]], then a smart mutation-based fuzzer<ref name="peach"/> would employ random [[program transformation|transformations]] to move complete subtrees from one node to another. If the input can be modelled by a [[formal grammar]], a smart generation-based fuzzer<ref name="AutoDO-14"/> would instantiate the [[Production (computer science)|production rules]] to generate inputs that are valid with respect to the grammar. However, generally the input model must be explicitly provided, which is difficult to do when the model is proprietary, unknown, or very complex. If a large corpus of valid and invalid inputs is available, a [[grammar induction]] technique, such as [[Dana Angluin|Angluin]]'s L* algorithm, would be able to generate an input model.<ref name="aiken"/><ref name="AutoDO-15"/> |
||
A dumb fuzzer<ref name="AutoDO-1"/><ref name="ganesh"/> does not require the input model and can thus be employed to fuzz a wider variety of programs. For instance, [[american fuzzy lop (fuzzer)|AFL]] is a dumb mutation-based fuzzer that modifies a seed file by [[Bitwise operation#NOT|flipping random bits]], by substituting random bytes with "interesting" values, and by moving or deleting blocks of data. However, a dumb fuzzer might generate a lower proportion of valid inputs and stress the [[parser]] code rather than the main components of a program. The disadvantage of dumb fuzzers can be illustrated by means of the construction of a valid [[checksum]] for a [[cyclic redundancy check]] (CRC). A CRC is an [[error-detecting code]] that ensures that the [[data integrity|integrity]] of the data contained in the input file is preserved during [[data transmission|transmission]]. A checksum is computed over the input data and recorded in the file. When the program processes the received file and the recorded checksum does not match the re-computed checksum, then the file is rejected as invalid. Now, a fuzzer that is unaware of the CRC is unlikely to generate the correct checksum. However, there are attempts to identify and re-compute a potential checksum in the mutated input, once a dumb mutation-based fuzzer has modified the protected data.<ref>{{cite book|last1=Wang|first1=T.|last2=Wei|first2=T.|last3=Gu|first3=G.|last4=Zou|first4=W.|title=TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection |
A dumb fuzzer<ref name="AutoDO-1"/><ref name="ganesh"/> does not require the input model and can thus be employed to fuzz a wider variety of programs. For instance, [[american fuzzy lop (fuzzer)|AFL]] is a dumb mutation-based fuzzer that modifies a seed file by [[Bitwise operation#NOT|flipping random bits]], by substituting random bytes with "interesting" values, and by moving or deleting blocks of data. However, a dumb fuzzer might generate a lower proportion of valid inputs and stress the [[parser]] code rather than the main components of a program. The disadvantage of dumb fuzzers can be illustrated by means of the construction of a valid [[checksum]] for a [[cyclic redundancy check]] (CRC). A CRC is an [[error-detecting code]] that ensures that the [[data integrity|integrity]] of the data contained in the input file is preserved during [[data transmission|transmission]]. A checksum is computed over the input data and recorded in the file. When the program processes the received file and the recorded checksum does not match the re-computed checksum, then the file is rejected as invalid. Now, a fuzzer that is unaware of the CRC is unlikely to generate the correct checksum. However, there are attempts to identify and re-compute a potential checksum in the mutated input, once a dumb mutation-based fuzzer has modified the protected data.<ref>{{cite book|last1=Wang|first1=T.|last2=Wei|first2=T.|last3=Gu|first3=G.|last4=Zou|first4=W.|title=2010 IEEE Symposium on Security and Privacy |chapter=TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection |date=May 2010|pages=497–512|doi=10.1109/SP.2010.37|isbn=978-1-4244-6894-2|citeseerx=10.1.1.169.7866|s2cid=11898088}}</ref> |
||
===Aware of program structure=== |
===Aware of program structure=== |
||
Line 96: | Line 95: | ||
To make a fuzzer more sensitive to failures other than crashes, sanitizers can be used to inject assertions that crash the program when a failure is detected.<ref>{{cite web|title=Clang compiler documentation|url=https://clang.llvm.org/docs/index.html|website=clang.llvm.org|access-date=13 March 2017}}</ref><ref>{{cite web|title=GNU GCC sanitizer options|url=https://gcc.gnu.org/onlinedocs/gcc-6.3.0/gcc/Instrumentation-Options.html#index-fsanitize_003daddress-947|website=gcc.gnu.org|access-date=13 March 2017}}</ref> There are different sanitizers for different kinds of bugs: |
To make a fuzzer more sensitive to failures other than crashes, sanitizers can be used to inject assertions that crash the program when a failure is detected.<ref>{{cite web|title=Clang compiler documentation|url=https://clang.llvm.org/docs/index.html|website=clang.llvm.org|access-date=13 March 2017}}</ref><ref>{{cite web|title=GNU GCC sanitizer options|url=https://gcc.gnu.org/onlinedocs/gcc-6.3.0/gcc/Instrumentation-Options.html#index-fsanitize_003daddress-947|website=gcc.gnu.org|access-date=13 March 2017}}</ref> There are different sanitizers for different kinds of bugs: |
||
*to detect memory related errors, such as [[buffer overflow]]s and [[use-after-free]] (using [[memory debugger]]s such as [[AddressSanitizer]]), |
*to detect memory related errors, such as [[buffer overflow]]s and [[use-after-free]] (using [[memory debugger]]s such as [[AddressSanitizer]]), |
||
*to detect [[race condition]]s and [[deadlock]]s (ThreadSanitizer), |
*to detect [[race condition]]s and [[Deadlock (computer science)|deadlock]]s (ThreadSanitizer), |
||
*to detect [[undefined behavior]] (UndefinedBehaviorSanitizer), |
*to detect [[undefined behavior]] (UndefinedBehaviorSanitizer), |
||
*to detect [[memory leak]]s (LeakSanitizer), or |
*to detect [[memory leak]]s (LeakSanitizer), or |
||
*to check [[control-flow integrity]] (CFISanitizer). |
*to check [[control-flow integrity]] (CFISanitizer). |
||
Fuzzing can also be used to detect "differential" bugs if a [[reference implementation]] is available. For automated [[regression testing]],<ref>{{cite book|last1=Orso|first1=Alessandro|last2=Xie|first2=Tao|title= |
Fuzzing can also be used to detect "differential" bugs if a [[reference implementation]] is available. For automated [[regression testing]],<ref>{{cite book|last1=Orso|first1=Alessandro|last2=Xie|first2=Tao|title=Proceedings of the 2008 international workshop on dynamic analysis: Held in conjunction with the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2008) |chapter=BERT |year=2008|pages=36–42|doi=10.1145/1401827.1401835|publisher=ACM|isbn=9781605580548|s2cid=7506576}}</ref> the generated inputs are executed on two [[software versioning|versions]] of the same program. For automated [[differential testing]],<ref>{{cite journal|last1=McKeeman|first1=William M.|author-link=William M. McKeeman|title=Differential Testing for Software|journal=Digital Technical Journal|year=1998|volume=10|issue=1|pages=100–107|url=http://www.hpl.hp.com/hpjournal/dtj/vol10num1/vol10num1art9.pdf|archive-url=https://web.archive.org/web/20061031200115/http://www.hpl.hp.com/hpjournal/dtj/vol10num1/vol10num1art9.pdf|archive-date=2006-10-31}}</ref> the generated inputs are executed on two implementations of the same program (e.g., [[lighttpd]] and [[httpd]] are both implementations of a web server). If the two variants produce different output for the same input, then one may be buggy and should be examined more closely. |
||
===Validating static analysis reports=== |
===Validating static analysis reports=== |
||
[[Static program analysis]] analyzes a program without actually executing it. This might lead to [[false positive]]s where the tool reports problems with the program that do not actually exist. Fuzzing in combination with [[dynamic program analysis]] can be used to try to generate an input that actually witnesses the reported problem.<ref>{{cite book|last1=Babić|first1=Domagoj|last2=Martignoni|first2=Lorenzo|last3=McCamant|first3=Stephen|last4=Song|first4=Dawn|title |
[[Static program analysis]] analyzes a program without actually executing it. This might lead to [[false positive]]s where the tool reports problems with the program that do not actually exist. Fuzzing in combination with [[dynamic program analysis]] can be used to try to generate an input that actually witnesses the reported problem.<ref>{{cite book|last1=Babić|first1=Domagoj|last2=Martignoni|first2=Lorenzo|last3=McCamant|first3=Stephen|last4=Song|first4=Dawn|title=Proceedings of the 2011 International Symposium on Software Testing and Analysis |chapter=Statically-directed dynamic automated test generation |year=2011|pages=12–22|doi=10.1145/2001420.2001423|publisher=ACM|isbn=9781450305624|s2cid=17344927}}</ref> |
||
===Browser security=== |
===Browser security=== |
||
Modern web browsers undergo extensive fuzzing. The [[Chromium (web browser)|Chromium]] code of [[Google Chrome]] is continuously fuzzed by the Chrome Security Team with 15,000 cores.<ref name="Security">{{cite web |last1=Sesterhenn |first1=Eric |last2=Wever |first2=Berend-Jan |last3=Orrù |first3=Michele |last4=Vervier |first4=Markus |title=Browser Security WhitePaper |url=https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf |publisher=X41D SEC GmbH |date=19 Sep 2017}}</ref> For [[Microsoft Edge]] and [[Internet Explorer]], [[Microsoft]] performed fuzzed testing with 670 machine-years during product development, generating more than 400 billion DOM manipulations from 1 billion HTML files.<ref>{{cite web |title=Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) |url=https://docs.microsoft.com/en-us/microsoft-edge/deploy/security-enhancements-microsoft-edge |publisher=[[Microsoft]] |access-date=31 August 2018 |date=15 Oct 2017}}</ref><ref name="Security"/> |
Modern web browsers undergo extensive fuzzing. The [[Chromium (web browser)|Chromium]] code of [[Google Chrome]] is continuously fuzzed by the Chrome Security Team with 15,000 cores.<ref name="Security">{{cite web |last1=Sesterhenn |first1=Eric |last2=Wever |first2=Berend-Jan |last3=Orrù |first3=Michele |last4=Vervier |first4=Markus |title=Browser Security WhitePaper |url=https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf |publisher=X41D SEC GmbH |date=19 Sep 2017}}</ref> For [[Microsoft Edge]] and [[Internet Explorer]], [[Microsoft]] performed fuzzed testing with 670 machine-years during product development, generating more than 400 billion [[Document Object Model|DOM]] manipulations from 1 billion HTML files.<ref>{{cite web |title=Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) |url=https://docs.microsoft.com/en-us/microsoft-edge/deploy/security-enhancements-microsoft-edge |publisher=[[Microsoft]] |access-date=31 August 2018 |date=15 Oct 2017}}</ref><ref name="Security"/> |
||
== Toolchain == |
== Toolchain == |
||
Line 114: | Line 113: | ||
===Automated bug triage=== |
===Automated bug triage=== |
||
{{Main|Bug triage}} |
{{Main|Bug triage}} |
||
Automated bug triage is used to group a large number of failure-inducing inputs by [[root cause analysis|root cause]] and to prioritize each individual bug by severity. A fuzzer produces a large number of inputs, and many of the failure-inducing ones may effectively expose the same [[software bug]]. Only some of these bugs are [[security bug|security-critical]] and should be [[patch (computing)|patched]] with higher priority. For instance the [[CERT Coordination Center]] provides the Linux triage tools which group crashing inputs by the produced [[stack trace]] and lists each group according to their probability to be [[exploit (computer security)|exploitable]].<ref>{{cite web|title=CERT Triage Tools|url=https://www.cert.org/vulnerability-analysis/tools/triage.cfm?|website=CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU)|access-date=14 March 2017}}</ref> The Microsoft Security Research Centre (MSEC) developed the !exploitable tool which first creates a [[hash function|hash]] for a crashing input to determine its uniqueness and then assigns an exploitability rating:<ref>{{cite web|title=Microsoft !exploitable Crash Analyzer|url=https://msecdbg.codeplex.com/|website=CodePlex|access-date=14 March 2017}}</ref> |
Automated bug triage is used to group a large number of failure-inducing inputs by [[root cause analysis|root cause]] and to prioritize each individual bug by severity. A fuzzer produces a large number of inputs, and many of the failure-inducing ones may effectively expose the same [[software bug]]. Only some of these bugs are [[security bug|security-critical]] and should be [[patch (computing)|patched]] with higher priority. For instance the [[CERT Coordination Center]] provides the Linux triage tools which group crashing inputs by the produced [[stack trace]] and lists each group according to their probability to be [[exploit (computer security)|exploitable]].<ref>{{cite web|title=CERT Triage Tools|url=https://www.cert.org/vulnerability-analysis/tools/triage.cfm?|website=CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU)|access-date=14 March 2017}}</ref> The Microsoft Security Research Centre (MSEC) developed the "!exploitable" tool which first creates a [[hash function|hash]] for a crashing input to determine its uniqueness and then assigns an exploitability rating:<ref>{{cite web|title=Microsoft !exploitable Crash Analyzer|url=https://msecdbg.codeplex.com/|website=CodePlex|access-date=14 March 2017}}</ref> |
||
*Exploitable |
*Exploitable |
||
*Probably Exploitable |
*Probably Exploitable |
||
Line 138: | Line 137: | ||
! Smart/dumb |
! Smart/dumb |
||
! Description |
! Description |
||
!Compatible with / can scan: |
|||
!Build Support |
|||
! Written in |
! Written in |
||
! License |
! License |
||
|- |
|- |
||
| [[American fuzzy lop (fuzzer)|AFL]]{{sfn|Hazimeh|Herrera|Payer|loc=p. 1: "We evaluate seven widely-used mutation-based fuzzers (AFL, ...)"}}{{sfn|Li|Ji|Chen|Liang|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..."}} |
| [[American fuzzy lop (fuzzer)|AFL]]{{sfn|Hazimeh|Herrera|Payer|2021|loc=p. 1: "We evaluate seven widely-used mutation-based fuzzers (AFL, ...)"}}{{sfn|Li|Ji|Chen|Liang|2021|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..."}} |
||
| Gray |
| Gray |
||
| Dumb |
| Dumb |
||
| |
|||
| |
|||
| |
| |
||
| C |
| C |
||
| [[Apache License|Apache]] 2.0 |
| [[Apache License|Apache]] 2.0 |
||
|- |
|- |
||
| [[AFL++]]{{sfn|Hazimeh|Herrera|Payer|loc=p. 1: "We evaluate seven widely-used mutation-based fuzzers (..., AFL++, ...)"}} |
| [[AFL++]]{{sfn|Hazimeh|Herrera|Payer|2021|loc=p. 1: "We evaluate seven widely-used mutation-based fuzzers (..., AFL++, ...)"}} |
||
| Gray |
| Gray |
||
| Dumb |
| Dumb |
||
| |
|||
| |
|||
| |
| |
||
| C |
| C |
||
| [[Apache License|Apache]] 2.0 |
| [[Apache License|Apache]] 2.0 |
||
|- |
|- |
||
| AFLFast{{sfn|Li|Ji|Chen|Liang|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, AFLFast, ..."}} |
| AFLFast{{sfn|Li|Ji|Chen|Liang|2021|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, AFLFast, ..."}} |
||
| Gray |
| Gray |
||
| Dumb |
| Dumb |
||
| |
|||
| |
|||
| |
| |
||
| C |
| C |
||
| [[Apache License|Apache]] 2.0 |
| [[Apache License|Apache]] 2.0 |
||
|- |
|- |
||
| Angora{{sfn|Li|Ji|Chen|Liang|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., Angora, ..."}} |
| Angora{{sfn|Li|Ji|Chen|Liang|2021|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., Angora, ..."}} |
||
| Gray |
| Gray |
||
| Dumb |
| Dumb |
||
| |
|||
| |
|||
| |
| |
||
| C++ |
| C++ |
||
| [[Apache License|Apache]] 2.0 |
| [[Apache License|Apache]] 2.0 |
||
|- |
|- |
||
⚫ | | [https://honggfuzz.dev/ honggfuzz]{{sfn|Hazimeh|Herrera|Payer|2021|loc=p. 1: "We evaluate seven widely-used mutation-based fuzzers (..., honggfuzz, ...)"}}{{sfn|Li|Ji|Chen|Liang|2021|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., Honggfuzz, ..."}} |
||
|[https://github.com/CodeIntelligenceTesting/cifuzz cifuzz] |
|||
|White |
|||
|Smart |
|||
|cifuzz makes fuzz tests as easy as unit tests<ref>{{Citation |title=cifuzz |date=2023-03-16 |url=https://github.com/CodeIntelligenceTesting/cifuzz |access-date=2023-03-16 |publisher=Code Intelligence}}</ref> |
|||
|C, C++, Java, [[List of JVM languages|JVM languages]] |
|||
|Linux x86_64 |
|||
|Go, C, C++, CMake, Makefile, Shell |
|||
|Apache 2.0 |
|||
|- |
|||
⚫ | |||
| Gray |
| Gray |
||
| Dumb |
| Dumb |
||
| |
|||
| |
|||
| |
| |
||
| C |
| C |
||
| [[Apache License|Apache]] 2.0 |
| [[Apache License|Apache]] 2.0 |
||
|- |
|- |
||
⚫ | |||
|[https://github.com/google/oss-fuzz OSS-fuzz] |
|||
|White |
|||
|Smart |
|||
| |
|||
|C/C++, Rust, Go, Python, Java/JVM, and JavaScript code. Other languages supported by LLVM may work too <ref>{{Citation |title=OSS-Fuzz: Continuous Fuzzing for Open Source Software |date=2023-03-16 |url=https://github.com/google/oss-fuzz |access-date=2023-03-16 |publisher=Google}}</ref> |
|||
|Linux x86_64 and i386 |
|||
|Shell, Python, Dockerfile, Java, C, C++ |
|||
|Apache 2.0 |
|||
|- |
|||
⚫ | |||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
| |
|||
| |
|||
| |
| |
||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
Line 223: | Line 189: | ||
|- |
|- |
||
| [https://www.s3.eurecom.fr/tools/symbolic_execution/symcc.html SymCC]{{sfn|Hazimeh|Herrera|Payer|loc=p. 1: "We evaluate seven widely-used mutation-based fuzzers (..., and SymCC-AFL)"}} |
| [https://www.s3.eurecom.fr/tools/symbolic_execution/symcc.html SymCC]{{sfn|Hazimeh|Herrera|Payer|2021|loc=p. 1: "We evaluate seven widely-used mutation-based fuzzers (..., and SymCC-AFL)"}} |
||
| White{{sfn|Hazimeh|Herrera|Payer|p=14}} |
| White{{sfn|Hazimeh|Herrera|Payer|2021|p=14}} |
||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
| |
|||
| |
|||
| |
| |
||
| C++ |
| C++ |
||
| [[GNU General Public License|GPL]], LGPL |
| [[GNU General Public License|GPL]], LGPL |
||
|- |
|- |
||
| T-Fuzz{{sfn|Li|Ji|Chen|Liang|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., T-Fuzz, ..."}} |
| T-Fuzz{{sfn|Li|Ji|Chen|Liang|2021|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., T-Fuzz, ..."}} |
||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
| |
|||
| |
|||
| |
| |
||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
Line 244: | Line 205: | ||
|- |
|- |
||
| VUzzer{{sfn|Li|Ji|Chen|Liang|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., and VUzzer64."}} |
| VUzzer{{sfn|Li|Ji|Chen|Liang|2021|loc=p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., and VUzzer64."}} |
||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
| |
|||
| |
|||
| |
| |
||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
| {{Data missing|date=March 2023|?}} |
| {{Data missing|date=March 2023|?}} |
||
|- |
|||
|[https://github.com/xmendez/wfuzz Wfuzz] |
|||
| |
|||
| |
|||
|"Wfuzz provides a framework to automate web applications security assessments and could help you to secure your web applications by finding and exploiting web application vulnerabilities."<ref>{{Cite web |title=Wfuzz: The Web fuzzer — Wfuzz 2.1.4 documentation |url=https://wfuzz.readthedocs.io/en/latest/ |access-date=2023-03-16 |website=wfuzz.readthedocs.io}}</ref> |
|||
| |
|||
| |
|||
|Python<ref>{{Citation |last=Mendez |first=Xavi |title=Wfuzz - The Web Fuzzer |date=2023-03-16 |url=https://github.com/xmendez/wfuzz |access-date=2023-03-16}}</ref> |
|||
|GPL 2.0 |
|||
|} |
|} |
||
Line 271: | Line 222: | ||
* [[Monkey testing]] |
* [[Monkey testing]] |
||
* [[Random testing]] |
* [[Random testing]] |
||
* [[ |
* [[Coordinated vulnerability disclosure]] |
||
* [[Runtime error detection]] |
* [[Runtime error detection]] |
||
* [[Security testing]] |
* [[Security testing]] |
||
Line 282: | Line 233: | ||
{{Reflist|30em|refs= |
{{Reflist|30em|refs= |
||
<ref name="fuzz-cs736" >{{cite web |author= Barton P. Miller |title= Fall 1988 CS736 Project List |url= http://pages.cs.wisc.edu/~bart/fuzz/CS736-Projects-f1988.pdf |publisher= Computer Sciences Department, University of Wisconsin-Madison |date= September 1988|access-date= 2020-12-30}}</ref> |
<ref name="fuzz-cs736" >{{cite web |author= Barton P. Miller |title= Fall 1988 CS736 Project List |url= http://pages.cs.wisc.edu/~bart/fuzz/CS736-Projects-f1988.pdf |publisher= Computer Sciences Department, University of Wisconsin-Madison |date= September 1988|access-date= 2020-12-30}}</ref> |
||
<ref name="fuzz1990" >{{cite journal |title= An Empirical Study of the Reliability of UNIX Utilities |author1=Barton P. Miller |author2=Lars Fredriksen |author3=Bryan So |journal= Communications of the ACM |date = December 1990 |volume=33 |issue=11 | |
<ref name="fuzz1990" >{{cite journal |title= An Empirical Study of the Reliability of UNIX Utilities |author1=Barton P. Miller |author2=Lars Fredriksen |author3=Bryan So |journal= Communications of the ACM |date = December 1990 |volume=33 |issue=11 |pages=32–44 |doi=10.1145/96267.96279|s2cid=14313707 |doi-access=free }}</ref> |
||
<ref name="fuzz1995" >{{cite journal |title= Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services |author1=Barton P. Miller |author2=David Koski |author3=Cjin P. Lee |author4=Vivekananda Maganty |author5=Ravbi Murthy |author6=Ajitkumar Natarajan |author7=Jeff Steidl|journal= Computer Sciences Technical Report #1268, University of Wisconsin-Madison |date = April 1995 | url=https://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz-revisited.pdf}}</ref> |
|||
<ref name="fuzz2000" >{{cite journal |title= An Empirical Study of the Robustness of Windows NT Applications Using Random Testing |author1=Justin Forrester |author2=Barton P. Miller |journal= 4th USENIX Windows Systems Symposium |date = September 2000 | url=https://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz-nt.pdf}}</ref> |
|||
<ref name="fuzz2006" >{{cite journal |title= An Empirical Study of the Robustness of MacOS Applications Using Random Testing |author1=Barton P. Miller |author2=Gregory Cooksey |author3=Fredrick Moore |journal= First International Workshop on Random Testing |date = July 2006 | url=https://ftp.cs.wisc.edu/paradyn/technical_papers/Fuzz-MacOS.pdf}}</ref> |
|||
<ref name="fuzz2020" >{{cite journal |title= The Relevance of Classic Fuzz Testing:Have We Solved This One? |author1=Barton P. Miller |author2=Mengxiao Zhang |author3=Elisa Heymann |journal= IEEE Transactions on Software Engineering |date = 2021|volume=48 |issue=6 |page=1 |doi=10.1109/TSE.2020.3047766 |arxiv=2008.06537 |s2cid=221139874 }}</ref> |
|||
<ref name="hertzfeld2004" >{{cite book |isbn= 978-0596007195 |title= Revolution in the Valley:The Insanely Great Story of How the Mac Was Made? |author1=Andy Hertzfeld |publisher= O'Reily Press |year= 2004}}</ref> |
<ref name="hertzfeld2004" >{{cite book |isbn= 978-0596007195 |title= Revolution in the Valley:The Insanely Great Story of How the Mac Was Made? |author1=Andy Hertzfeld |publisher= O'Reily Press |year= 2004}}</ref> |
||
<ref name="sutton" >{{cite book |isbn= 978-0-321-44611-4 |title= Fuzzing: Brute Force Vulnerability Discovery |author1=Michael Sutton |author2=Adam Greene |author3=Pedram Amini |publisher= Addison-Wesley |year= 2007}}</ref> |
<ref name="sutton" >{{cite book |isbn= 978-0-321-44611-4 |title= Fuzzing: Brute Force Vulnerability Discovery |author1=Michael Sutton |author2=Adam Greene |author3=Pedram Amini |publisher= Addison-Wesley |year= 2007}}</ref> |
||
Line 302: | Line 249: | ||
<ref name="clusterfuzz">{{cite web |url= https://blog.chromium.org/2012/04/fuzzing-for-security.html |title= Announcing ClusterFuzz |access-date= 2017-03-09}}</ref> |
<ref name="clusterfuzz">{{cite web |url= https://blog.chromium.org/2012/04/fuzzing-for-security.html |title= Announcing ClusterFuzz |access-date= 2017-03-09}}</ref> |
||
<ref name="buzzfuzz">{{cite web |url= http://www.isoc.org/isoc/conferences/ndss/08/papers/10_automated_whitebox_fuzz.pdf |title= Automated Whitebox Fuzz Testing |publisher= Proceedings of Network and Distributed Systems Symposium (NDSS'08) |date= 2008-02-08 |author1=Patrice Godefroid |author2=Michael Y. Levin |author3=David Molnar}}</ref> |
<ref name="buzzfuzz">{{cite web |url= http://www.isoc.org/isoc/conferences/ndss/08/papers/10_automated_whitebox_fuzz.pdf |title= Automated Whitebox Fuzz Testing |publisher= Proceedings of Network and Distributed Systems Symposium (NDSS'08) |date= 2008-02-08 |author1=Patrice Godefroid |author2=Michael Y. Levin |author3=David Molnar}}</ref> |
||
<ref name="boehme2">{{cite book |
<ref name="boehme2">{{cite book |pages= 1032–1043 |publisher= Proceedings of the ACM Conference on Computer and Communications Security (CCS'16) |date= 2016-10-28 |author1=Marcel Böhme |author2=Van-Thuan Pham |author3=Abhik Roychoudhury|title= Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security |doi= 10.1145/2976749.2978428 |chapter= Coverage-based Greybox Fuzzing as Markov Chain |isbn= 9781450341394 |s2cid= 3344888 }}</ref> |
||
<ref name="driller">{{cite conference |url= https://www.internetsociety.org/sites/default/files/blogs-media/driller-augmenting-fuzzing-through-selective-symbolic-execution.pdf |title= Driller: Augmenting. Fuzzing Through Selective Symbolic Execution |publisher= Proceedings of Network and Distributed Systems Symposium (NDSS'16) |date= 2016-02-24 |author1=Nick Stephens |author2=John Grosen |author3=Christopher Salls |author4=Andrew Dutcher |author5= Ruoyu Wang |author6=Jacopo Corbetta |author7=Yan Shoshitaishvili |author8=Christopher Kruegel |author9=Giovanni Vigna}}</ref> |
<ref name="driller">{{cite conference |url= https://www.internetsociety.org/sites/default/files/blogs-media/driller-augmenting-fuzzing-through-selective-symbolic-execution.pdf |title= Driller: Augmenting. Fuzzing Through Selective Symbolic Execution |publisher= Proceedings of Network and Distributed Systems Symposium (NDSS'16) |date= 2016-02-24 |author1=Nick Stephens |author2=John Grosen |author3=Christopher Salls |author4=Andrew Dutcher |author5= Ruoyu Wang |author6=Jacopo Corbetta |author7=Yan Shoshitaishvili |author8=Christopher Kruegel |author9=Giovanni Vigna}}</ref> |
||
<ref name="aiken">{{cite conference |arxiv=1608.01723 |title= Synthesizing Program Input Grammars |publisher= Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2017) |date= June 2017 |author1=Osbert Bastani |author2=Rahul Sharma |author3=Alex Aiken |author4=Percy Liang|bibcode=2016arXiv160801723B }}</ref> |
<ref name="aiken">{{cite conference |arxiv=1608.01723 |title= Synthesizing Program Input Grammars |publisher= Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2017) |date= June 2017 |author1=Osbert Bastani |author2=Rahul Sharma |author3=Alex Aiken |author4=Percy Liang|bibcode=2016arXiv160801723B }}</ref> |
||
<ref name="AutoDO-1">{{cite book|author1=Ari Takanen|author2=Jared D. Demott|author3=Charles Miller|title=Fuzzing for Software Security Testing and Quality Assurance, Second Edition|url=https://books.google.com/books?id=tKN5DwAAQBAJ&q=%22I+settled+on+the+term+fuzz%22&pg=PR15|date=31 January 2018|publisher=Artech House|isbn=978-1-63081-519-6|page=15}} [http://index-of.co.uk/Reversing-Exploiting/Fuzzing.pdf full document] available ([https://web.archive.org/web/20180919035901/http://index-of.co.uk/Reversing-Exploiting/Fuzzing.pdf archived] September 19, 2018)</ref> |
<ref name="AutoDO-1">{{cite book|author1=Ari Takanen|author2=Jared D. Demott|author3=Charles Miller|title=Fuzzing for Software Security Testing and Quality Assurance, Second Edition|url=https://books.google.com/books?id=tKN5DwAAQBAJ&q=%22I+settled+on+the+term+fuzz%22&pg=PR15|date=31 January 2018|publisher=Artech House|isbn=978-1-63081-519-6|page=15}} [http://index-of.co.uk/Reversing-Exploiting/Fuzzing.pdf full document] available ([https://web.archive.org/web/20180919035901/http://index-of.co.uk/Reversing-Exploiting/Fuzzing.pdf archived] September 19, 2018)</ref> |
||
<--Barton Miller (2008). "Preface". In Ari Takanen, Jared DeMott and Charlie Miller, ''Fuzzing for Software Security Testing and Quality Assurance'', {{ISBN|978-1-59693-214-2}}</ref>--> |
<!--Barton Miller (2008). "Preface". In Ari Takanen, Jared DeMott and Charlie Miller, ''Fuzzing for Software Security Testing and Quality Assurance'', {{ISBN|978-1-59693-214-2}}</ref>--> |
||
<ref name="AutoDO-2">{{cite web |title= Fuzz Testing of Application Reliability |url= http://pages.cs.wisc.edu/~bart/fuzz/ |publisher= University of Wisconsin-Madison |access-date= 2020-12-30}}</ref> |
<ref name="AutoDO-2">{{cite web |title= Fuzz Testing of Application Reliability |url= http://pages.cs.wisc.edu/~bart/fuzz/ |publisher= University of Wisconsin-Madison |access-date= 2020-12-30}}</ref> |
||
<ref name="AutoDO-3">{{cite web |url= http://www.folklore.org/StoryView.py?story=Monkey_Lives.txt |title= Macintosh Stories: Monkey Lives |publisher= Folklore.org |date= 1999-02-22 |access-date= 2010-05-28}}</ref> |
<ref name="AutoDO-3">{{cite web |url= http://www.folklore.org/StoryView.py?story=Monkey_Lives.txt |title= Macintosh Stories: Monkey Lives |publisher= Folklore.org |date= 1999-02-22 |access-date= 2010-05-28}}</ref> |
||
Line 320: | Line 267: | ||
==Further reading== |
==Further reading== |
||
*{{Cite book |
|||
| last1 = Nappa |
|||
| first1 = A. |
|||
| last2 = Blázquez |
|||
| first2 = E. |
|||
| title = Fuzzing Against the Machine: Automate Vulnerability Research with Emulated IoT Devices on Qemu |
|||
| publisher = Packt Publishing, Limited |
|||
| year = 2023 |
|||
| isbn = 9781804614976 |
|||
| url = https://books.google.com/books?id=W-iwzwEACAAJ |
|||
}} A comprehensive guide on automated vulnerability research with emulated IoT devices. |
|||
*{{Cite book |last1=Zeller |first1=Andreas |url=https://fuzzingbook.org/ |title=The Fuzzing Book |last2=Gopinath |first2=Rahul |last3=Böhme |first3=Marcel |last4=Fraser |first4=Gordon |last5=Holler |first5=Christian |date=2019 |publisher=CISPA + Saarland University |location=Saarbrücken |language=en}} A free, online, introductory textbook on fuzzing. |
*{{Cite book |last1=Zeller |first1=Andreas |url=https://fuzzingbook.org/ |title=The Fuzzing Book |last2=Gopinath |first2=Rahul |last3=Böhme |first3=Marcel |last4=Fraser |first4=Gordon |last5=Holler |first5=Christian |date=2019 |publisher=CISPA + Saarland University |location=Saarbrücken |language=en}} A free, online, introductory textbook on fuzzing. |
||
*Ari Takanen, Jared D. DeMott, Charles Miller, ''Fuzzing for Software Security Testing and Quality Assurance'', 2008, {{ISBN|978-1-59693-214-2}} |
*Ari Takanen, Jared D. DeMott, Charles Miller, ''Fuzzing for Software Security Testing and Quality Assurance'', 2008, {{ISBN|978-1-59693-214-2}} |
||
*Michael Sutton, Adam Greene, and Pedram Amini. ''Fuzzing: Brute Force Vulnerability Discovery'', 2007, {{ISBN|0-321-44611-9}}. |
*Michael Sutton, Adam Greene, and Pedram Amini. ''Fuzzing: Brute Force Vulnerability Discovery'', 2007, {{ISBN|0-321-44611-9}}. |
||
*H. Pohl, [https://web.archive.org/web/20160110215132/http://www.softscheck.com/publications/softScheck%20Pohl%20Cost-Effective%20Identification%20of%20Less-Than%20Zero-Day%20Vulnerabilities%20WPE.pdf ''Cost-Effective Identification of Zero-Day Vulnerabilities with the Aid of Threat Modeling and Fuzzing''], 2011 |
*H. Pohl, [https://web.archive.org/web/20160110215132/http://www.softscheck.com/publications/softScheck%20Pohl%20Cost-Effective%20Identification%20of%20Less-Than%20Zero-Day%20Vulnerabilities%20WPE.pdf ''Cost-Effective Identification of Zero-Day Vulnerabilities with the Aid of Threat Modeling and Fuzzing''], 2011 |
||
*Fabien Duchene, [ |
*Fabien Duchene, [https://theses.hal.science/tel-01548923/ Detection of Web Vulnerabilities via Model Inference assisted Evolutionary Fuzzing, 2014, PhD Thesis] |
||
*Bratus, S., Darley, T., Locasto, M., Patterson, M.L., Shapiro, R.B., Shubina, A., ''Beyond Planted Bugs in "Trusting Trust": The Input-Processing Frontier'', [ |
*Bratus, S., Darley, T., Locasto, M., Patterson, M.L., Shapiro, R.B., Shubina, A., ''Beyond Planted Bugs in "Trusting Trust": The Input-Processing Frontier'', [https://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6756892&sortType%3Dasc_p_Sequence%26filter%3DAND%28p_IS_Number%3A6756734%29 IEEE Security & Privacy Vol 12, Issue 1, (Jan-Feb 2014), pp. 83–87]—Basically highlights why fuzzing works so well: because the input is the controlling program of the interpreter. |
||
==External links== |
==External links== |
||
Line 333: | Line 291: | ||
*[https://docs.google.com/viewer?url=https%3A%2F%2Fgithub.com%2Fs7ephen%2FRuxxer%2Fraw%2Fmaster%2Fpresentations%2FRuxxer.ppt Building 'Protocol Aware' Fuzzing Frameworks] |
*[https://docs.google.com/viewer?url=https%3A%2F%2Fgithub.com%2Fs7ephen%2FRuxxer%2Fraw%2Fmaster%2Fpresentations%2FRuxxer.ppt Building 'Protocol Aware' Fuzzing Frameworks] |
||
⚫ | |||
{{Software testing}} |
{{Software testing}} |
||
Revision as of 04:57, 8 December 2024
In programming and software development, fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, such as in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose corner cases that have not been properly dealt with.
For the purpose of security, input that crosses a trust boundary is often the most useful.[1] For example, it is more important to fuzz code that handles a file uploaded by any user than it is to fuzz the code that parses a configuration file that is accessible only to a privileged user.
History
The term "fuzz" originates from a 1988 class project[2] in the graduate Advanced Operating Systems class (CS736), taught by Prof. Barton Miller at the University of Wisconsin, whose results were subsequently published in 1990.[3][4] To fuzz test a UNIX utility meant to automatically generate random input and command-line parameters for the utility. The project was designed to test the reliability of UNIX command line programs by executing a large number of random inputs in quick succession until they crashed. Miller's team was able to crash 25 to 33 percent of the utilities that they tested. They then debugged each of the crashes to determine the cause and categorized each detected failure. To allow other researchers to conduct similar experiments with other software, the source code of the tools, the test procedures, and the raw result data were made publicly available.[5] This early fuzzing would now be called black box, generational, unstructured (dumb or "classic") fuzzing.
According to Prof. Barton Miller, "In the process of writing the project description, I needed to give this kind of testing a name. I wanted a name that would evoke the feeling of random, unstructured data. After trying out several ideas, I settled on the term fuzz."[4]
A key contribution of this early work was simple (almost simplistic) oracle. A program failed its test if it crashed or hung under the random input and was considered to have passed otherwise. While test oracles can be challenging to construct, the oracle for this early fuzz testing was simple and universal to apply.
In April 2012, Google announced ClusterFuzz, a cloud-based fuzzing infrastructure for security-critical components of the Chromium web browser.[6] Security researchers can upload their own fuzzers and collect bug bounties if ClusterFuzz finds a crash with the uploaded fuzzer.
In September 2014, Shellshock[7] was disclosed as a family of security bugs in the widely used UNIX Bash shell; most vulnerabilities of Shellshock were found using the fuzzer AFL.[8] (Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.[9])
In April 2015, Hanno Böck showed how the fuzzer AFL could have found the 2014 Heartbleed vulnerability.[10][11] (The Heartbleed vulnerability was disclosed in April 2014. It is a serious vulnerability that allows adversaries to decipher otherwise encrypted communication. The vulnerability was accidentally introduced into OpenSSL which implements TLS and is used by the majority of the servers on the internet. Shodan reported 238,000 machines still vulnerable in April 2016;[12] 200,000 in January 2017.[13])
In August 2016, the Defense Advanced Research Projects Agency (DARPA) held the finals of the first Cyber Grand Challenge, a fully automated capture-the-flag competition that lasted 11 hours.[14] The objective was to develop automatic defense systems that can discover, exploit, and correct software flaws in real-time. Fuzzing was used as an effective offense strategy to discover flaws in the software of the opponents. It showed tremendous potential in the automation of vulnerability detection. The winner was a system called "Mayhem"[15] developed by the team ForAllSecure led by David Brumley.
In September 2016, Microsoft announced Project Springfield, a cloud-based fuzz testing service for finding security critical bugs in software.[16]
In December 2016, Google announced OSS-Fuzz which allows for continuous fuzzing of several security-critical open-source projects.[17]
At Black Hat 2018, Christopher Domas demonstrated the use of fuzzing to expose the existence of a hidden RISC core in a processor.[18] This core was able to bypass existing security checks to execute Ring 0 commands from Ring 3.
In September 2020, Microsoft released OneFuzz, a self-hosted fuzzing-as-a-service platform that automates the detection of software bugs.[19] It supports Windows and Linux.[20] It has been archived three years later on November 1st, 2023.[21]
Early random testing
Testing programs with random inputs dates back to the 1950s when data was still stored on punched cards.[22] Programmers would use punched cards that were pulled from the trash or card decks of random numbers as input to computer programs. If an execution revealed undesired behavior, a bug had been detected.
The execution of random inputs is also called random testing or monkey testing.
In 1981, Duran and Ntafos formally investigated the effectiveness of testing a program with random inputs.[23][24] While random testing had been widely perceived to be the worst means of testing a program, the authors could show that it is a cost-effective alternative to more systematic testing techniques.
In 1983, Steve Capps at Apple developed "The Monkey",[25] a tool that would generate random inputs for classic Mac OS applications, such as MacPaint.[26] The figurative "monkey" refers to the infinite monkey theorem which states that a monkey hitting keys at random on a typewriter keyboard for an infinite amount of time will eventually type out the entire works of Shakespeare. In the case of testing, the monkey would write the particular sequence of inputs that would trigger a crash.
In 1991, the crashme tool was released, which was intended to test the robustness of Unix and Unix-like operating systems by randomly executing systems calls with randomly chosen parameters.[27]
Types
A fuzzer can be categorized in several ways:[28][1]
- A fuzzer can be generation-based or mutation-based depending on whether inputs are generated from scratch or by modifying existing inputs.
- A fuzzer can be dumb (unstructured) or smart (structured) depending on whether it is aware of input structure.
- A fuzzer can be white-, grey-, or black-box, depending on whether it is aware of program structure.
Reuse of existing input seeds
A mutation-based fuzzer leverages an existing corpus of seed inputs during fuzzing. It generates inputs by modifying (or rather mutating) the provided seeds.[29] For example, when fuzzing the image library libpng, the user would provide a set of valid PNG image files as seeds while a mutation-based fuzzer would modify these seeds to produce semi-valid variants of each seed. The corpus of seed files may contain thousands of potentially similar inputs. Automated seed selection (or test suite reduction) allows users to pick the best seeds in order to maximize the total number of bugs found during a fuzz campaign.[30]
A generation-based fuzzer generates inputs from scratch. For instance, a smart generation-based fuzzer[31] takes the input model that was provided by the user to generate new inputs. Unlike mutation-based fuzzers, a generation-based fuzzer does not depend on the existence or quality of a corpus of seed inputs.
Some fuzzers have the capability to do both, to generate inputs from scratch and to generate inputs by mutation of existing seeds.[32]
Aware of input structure
Typically, fuzzers are used to generate inputs for programs that take structured inputs, such as a file, a sequence of keyboard or mouse events, or a sequence of messages. This structure distinguishes valid input that is accepted and processed by the program from invalid input that is quickly rejected by the program. What constitutes a valid input may be explicitly specified in an input model. Examples of input models are formal grammars, file formats, GUI-models, and network protocols. Even items not normally considered as input can be fuzzed, such as the contents of databases, shared memory, environment variables or the precise interleaving of threads. An effective fuzzer generates semi-valid inputs that are "valid enough" so that they are not directly rejected from the parser and "invalid enough" so that they might stress corner cases and exercise interesting program behaviours.
A smart (model-based,[32] grammar-based,[31][33] or protocol-based[34]) fuzzer leverages the input model to generate a greater proportion of valid inputs. For instance, if the input can be modelled as an abstract syntax tree, then a smart mutation-based fuzzer[33] would employ random transformations to move complete subtrees from one node to another. If the input can be modelled by a formal grammar, a smart generation-based fuzzer[31] would instantiate the production rules to generate inputs that are valid with respect to the grammar. However, generally the input model must be explicitly provided, which is difficult to do when the model is proprietary, unknown, or very complex. If a large corpus of valid and invalid inputs is available, a grammar induction technique, such as Angluin's L* algorithm, would be able to generate an input model.[35][36]
A dumb fuzzer[37][38] does not require the input model and can thus be employed to fuzz a wider variety of programs. For instance, AFL is a dumb mutation-based fuzzer that modifies a seed file by flipping random bits, by substituting random bytes with "interesting" values, and by moving or deleting blocks of data. However, a dumb fuzzer might generate a lower proportion of valid inputs and stress the parser code rather than the main components of a program. The disadvantage of dumb fuzzers can be illustrated by means of the construction of a valid checksum for a cyclic redundancy check (CRC). A CRC is an error-detecting code that ensures that the integrity of the data contained in the input file is preserved during transmission. A checksum is computed over the input data and recorded in the file. When the program processes the received file and the recorded checksum does not match the re-computed checksum, then the file is rejected as invalid. Now, a fuzzer that is unaware of the CRC is unlikely to generate the correct checksum. However, there are attempts to identify and re-compute a potential checksum in the mutated input, once a dumb mutation-based fuzzer has modified the protected data.[39]
Aware of program structure
Typically, a fuzzer is considered more effective if it achieves a higher degree of code coverage. The rationale is, if a fuzzer does not exercise certain structural elements in the program, then it is also not able to reveal bugs that are hiding in these elements. Some program elements are considered more critical than others. For instance, a division operator might cause a division by zero error, or a system call may crash the program.
A black-box fuzzer[37][33] treats the program as a black box and is unaware of internal program structure. For instance, a random testing tool that generates inputs at random is considered a blackbox fuzzer. Hence, a blackbox fuzzer can execute several hundred inputs per second, can be easily parallelized, and can scale to programs of arbitrary size. However, blackbox fuzzers may only scratch the surface and expose "shallow" bugs. Hence, there are attempts to develop blackbox fuzzers that can incrementally learn about the internal structure (and behavior) of a program during fuzzing by observing the program's output given an input. For instance, LearnLib employs active learning to generate an automaton that represents the behavior of a web application.
A white-box fuzzer[38][32] leverages program analysis to systematically increase code coverage or to reach certain critical program locations. For instance, SAGE[40] leverages symbolic execution to systematically explore different paths in the program (a technique known as concolic execution). If the program's specification is available, a whitebox fuzzer might leverage techniques from model-based testing to generate inputs and check the program outputs against the program specification. A whitebox fuzzer can be very effective at exposing bugs that hide deep in the program. However, the time used for analysis (of the program or its specification) can become prohibitive. If the whitebox fuzzer takes relatively too long to generate an input, a blackbox fuzzer will be more efficient.[41] Hence, there are attempts to combine the efficiency of blackbox fuzzers and the effectiveness of whitebox fuzzers.[42]
A gray-box fuzzer leverages instrumentation rather than program analysis to glean information about the program. For instance, AFL and libFuzzer utilize lightweight instrumentation to trace basic block transitions exercised by an input. This leads to a reasonable performance overhead but informs the fuzzer about the increase in code coverage during fuzzing, which makes gray-box fuzzers extremely efficient vulnerability detection tools.[43]
Uses
Fuzzing is used mostly as an automated technique to expose vulnerabilities in security-critical programs that might be exploited with malicious intent.[6][16][17] More generally, fuzzing is used to demonstrate the presence of bugs rather than their absence. Running a fuzzing campaign for several weeks without finding a bug does not prove the program correct.[44] After all, the program may still fail for an input that has not been executed, yet; executing a program for all inputs is prohibitively expensive. If the objective is to prove a program correct for all inputs, a formal specification must exist and techniques from formal methods must be used.
Exposing bugs
In order to expose bugs, a fuzzer must be able to distinguish expected (normal) from unexpected (buggy) program behavior. However, a machine cannot always distinguish a bug from a feature. In automated software testing, this is also called the test oracle problem.[45][46]
Typically, a fuzzer distinguishes between crashing and non-crashing inputs in the absence of specifications and to use a simple and objective measure. Crashes can be easily identified and might indicate potential vulnerabilities (e.g., denial of service or arbitrary code execution). However, the absence of a crash does not indicate the absence of a vulnerability. For instance, a program written in C may or may not crash when an input causes a buffer overflow. Rather the program's behavior is undefined.
To make a fuzzer more sensitive to failures other than crashes, sanitizers can be used to inject assertions that crash the program when a failure is detected.[47][48] There are different sanitizers for different kinds of bugs:
- to detect memory related errors, such as buffer overflows and use-after-free (using memory debuggers such as AddressSanitizer),
- to detect race conditions and deadlocks (ThreadSanitizer),
- to detect undefined behavior (UndefinedBehaviorSanitizer),
- to detect memory leaks (LeakSanitizer), or
- to check control-flow integrity (CFISanitizer).
Fuzzing can also be used to detect "differential" bugs if a reference implementation is available. For automated regression testing,[49] the generated inputs are executed on two versions of the same program. For automated differential testing,[50] the generated inputs are executed on two implementations of the same program (e.g., lighttpd and httpd are both implementations of a web server). If the two variants produce different output for the same input, then one may be buggy and should be examined more closely.
Validating static analysis reports
Static program analysis analyzes a program without actually executing it. This might lead to false positives where the tool reports problems with the program that do not actually exist. Fuzzing in combination with dynamic program analysis can be used to try to generate an input that actually witnesses the reported problem.[51]
Browser security
Modern web browsers undergo extensive fuzzing. The Chromium code of Google Chrome is continuously fuzzed by the Chrome Security Team with 15,000 cores.[52] For Microsoft Edge and Internet Explorer, Microsoft performed fuzzed testing with 670 machine-years during product development, generating more than 400 billion DOM manipulations from 1 billion HTML files.[53][52]
Toolchain
A fuzzer produces a large number of inputs in a relatively short time. For instance, in 2016 the Google OSS-fuzz project produced around 4 trillion inputs a week.[17] Hence, many fuzzers provide a toolchain that automates otherwise manual and tedious tasks which follow the automated generation of failure-inducing inputs.
Automated bug triage
Automated bug triage is used to group a large number of failure-inducing inputs by root cause and to prioritize each individual bug by severity. A fuzzer produces a large number of inputs, and many of the failure-inducing ones may effectively expose the same software bug. Only some of these bugs are security-critical and should be patched with higher priority. For instance the CERT Coordination Center provides the Linux triage tools which group crashing inputs by the produced stack trace and lists each group according to their probability to be exploitable.[54] The Microsoft Security Research Centre (MSEC) developed the "!exploitable" tool which first creates a hash for a crashing input to determine its uniqueness and then assigns an exploitability rating:[55]
- Exploitable
- Probably Exploitable
- Probably Not Exploitable, or
- Unknown.
Previously unreported, triaged bugs might be automatically reported to a bug tracking system. For instance, OSS-Fuzz runs large-scale, long-running fuzzing campaigns for several security-critical software projects where each previously unreported, distinct bug is reported directly to a bug tracker.[17] The OSS-Fuzz bug tracker automatically informs the maintainer of the vulnerable software and checks in regular intervals whether the bug has been fixed in the most recent revision using the uploaded minimized failure-inducing input.
Automated input minimization
Automated input minimization (or test case reduction) is an automated debugging technique to isolate that part of the failure-inducing input that is actually inducing the failure.[56][57] If the failure-inducing input is large and mostly malformed, it might be difficult for a developer to understand what exactly is causing the bug. Given the failure-inducing input, an automated minimization tool would remove as many input bytes as possible while still reproducing the original bug. For instance, Delta Debugging is an automated input minimization technique that employs an extended binary search algorithm to find such a minimal input.[58]
List of popular fuzzers
This section needs expansion. You can help by adding to it. (February 2023) |
The following is a list of fuzzers described as "popular", "widely used", or similar in the academic literature.[59][60]
Name | White/gray/black-box | Smart/dumb | Description | Written in | License |
---|---|---|---|---|---|
AFL[61][62] | Gray | Dumb | C | Apache 2.0 | |
AFL++[63] | Gray | Dumb | C | Apache 2.0 | |
AFLFast[64] | Gray | Dumb | C | Apache 2.0 | |
Angora[65] | Gray | Dumb | C++ | Apache 2.0 | |
honggfuzz[66][67] | Gray | Dumb | C | Apache 2.0 | |
QSYM[68] | [?] | [?] | [?] | [?] | |
SymCC[69] | White[70] | [?] | C++ | GPL, LGPL | |
T-Fuzz[71] | [?] | [?] | [?] | [?] | |
VUzzer[72] | [?] | [?] | [?] | [?] |
See also
- American fuzzy lop (fuzzer)
- Concolic testing
- Glitch
- Glitching
- Monkey testing
- Random testing
- Coordinated vulnerability disclosure
- Runtime error detection
- Security testing
- Smoke testing (software)
- Symbolic execution
- System testing
- Test automation
References
- ^ a b John Neystadt (February 2008). "Automated Penetration Testing with White-Box Fuzzing". Microsoft. Retrieved 2009-05-14.
- ^ Barton P. Miller (September 1988). "Fall 1988 CS736 Project List" (PDF). Computer Sciences Department, University of Wisconsin-Madison. Retrieved 2020-12-30.
- ^ Barton P. Miller; Lars Fredriksen; Bryan So (December 1990). "An Empirical Study of the Reliability of UNIX Utilities". Communications of the ACM. 33 (11): 32–44. doi:10.1145/96267.96279. S2CID 14313707.
- ^ a b Miller, Barton (April 2008). "Foreword for Fuzz Testing Book". UW-Madison Computer Sciences. Retrieved 29 March 2024.
- ^ "Fuzz Testing of Application Reliability". University of Wisconsin-Madison. Retrieved 2020-12-30.
- ^ a b "Announcing ClusterFuzz". Retrieved 2017-03-09.
- ^ Perlroth, Nicole (25 September 2014). "Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant". The New York Times. Retrieved 25 September 2014.
- ^ Zalewski, Michał (1 October 2014). "Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78)". lcamtuf's blog. Retrieved 13 March 2017.
- ^ Seltzer, Larry (29 September 2014). "Shellshock makes Heartbleed look insignificant". ZDNet. Retrieved 29 September 2014.
- ^ Böck, Hanno. "Fuzzing: Wie man Heartbleed hätte finden können (in German)". Golem.de (in German). Retrieved 13 March 2017.
- ^ Böck, Hanno. "How Heartbleed could've been found (in English)". Hanno's blog. Retrieved 13 March 2017.
- ^ "Search engine for the internet of things – devices still vulnerable to Heartbleed". shodan.io. Retrieved 13 March 2017.
- ^ "Heartbleed Report (2017-01)". shodan.io. Archived from the original on 23 January 2017. Retrieved 10 July 2017.
- ^ Walker, Michael. "DARPA Cyber Grand Challenge". darpa.mil. Retrieved 12 March 2017.
- ^ "Mayhem comes in first place at CGC". Retrieved 12 March 2017.
- ^ a b "Announcing Project Springfield". 2016-09-26. Retrieved 2017-03-08.
- ^ a b c d "Announcing OSS-Fuzz". Retrieved 2017-03-08.
- ^ Christopher Domas (August 2018). "GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs". Retrieved 2018-09-03.
- ^ "Microsoft: Windows 10 is hardened with these fuzzing security tools – now they're open source". ZDNet. September 15, 2020.
- ^ "Microsoft open-sources fuzzing test framework". InfoWorld. September 17, 2020.
- ^ microsoft/onefuzz, Microsoft, 2024-03-03, retrieved 2024-03-06
- ^ Gerald M. Weinberg (2017-02-05). "Fuzz Testing and Fuzz History". Retrieved 2017-02-06.
- ^ Joe W. Duran; Simeon C. Ntafos (1981-03-09). A report on random testing. Icse '81. Proceedings of the ACM SIGSOFT International Conference on Software Engineering (ICSE'81). pp. 179–183. ISBN 9780897911467.
- ^ Joe W. Duran; Simeon C. Ntafos (1984-07-01). "An Evaluation of Random Testing". IEEE Transactions on Software Engineering (4). IEEE Transactions on Software Engineering (TSE): 438–444. doi:10.1109/TSE.1984.5010257. S2CID 17208399.
- ^ Andy Hertzfeld (2004). Revolution in the Valley:The Insanely Great Story of How the Mac Was Made?. O'Reily Press. ISBN 978-0596007195.
- ^ "Macintosh Stories: Monkey Lives". Folklore.org. 1999-02-22. Retrieved 2010-05-28.
- ^ "crashme". CodePlex. Retrieved 2021-05-21.
- ^ Michael Sutton; Adam Greene; Pedram Amini (2007). Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley. ISBN 978-0-321-44611-4.
- ^ Offutt, Jeff; Xu, Wuzhi (2004). "Generating Test Cases for Web Services Using Data Perturbation". Workshop on Testing, Analysis and Verification of Web Services. 29 (5): 1–10. doi:10.1145/1022494.1022529. S2CID 52854851.
- ^ Rebert, Alexandre; Cha, Sang Kil; Avgerinos, Thanassis; Foote, Jonathan; Warren, David; Grieco, Gustavo; Brumley, David (2014). "Optimizing Seed Selection for Fuzzing" (PDF). Proceedings of the 23rd USENIX Conference on Security Symposium: 861–875.
- ^ a b c Patrice Godefroid; Adam Kiezun; Michael Y. Levin. "Grammar-based Whitebox Fuzzing" (PDF). Microsoft Research.
- ^ a b c Van-Thuan Pham; Marcel Böhme; Abhik Roychoudhury (2016-09-07). "Model-based whitebox fuzzing for program binaries". Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering - ASE 2016. Proceedings of Automated Software Engineering (ASE'16). pp. 543–553. doi:10.1145/2970276.2970316. ISBN 9781450338455. S2CID 5809364.
- ^ a b c "Peach Fuzzer". Retrieved 2017-03-08.
- ^ Greg Banks; Marco Cova; Viktoria Felmetsger; Kevin Almeroth; Richard Kemmerer; Giovanni Vigna. SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr. Proceedings of the Information Security Conference (ISC'06).
- ^ Osbert Bastani; Rahul Sharma; Alex Aiken; Percy Liang (June 2017). Synthesizing Program Input Grammars. Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2017). arXiv:1608.01723. Bibcode:2016arXiv160801723B.
- ^ "VDA Labs - Evolutionary Fuzzing System". Archived from the original on 2015-11-05. Retrieved 2009-05-14.
- ^ a b Ari Takanen; Jared D. Demott; Charles Miller (31 January 2018). Fuzzing for Software Security Testing and Quality Assurance, Second Edition. Artech House. p. 15. ISBN 978-1-63081-519-6. full document available (archived September 19, 2018)
- ^ a b Vijay Ganesh; Tim Leek; Martin Rinard (2009-05-16). "Taint-based directed whitebox fuzzing". IEEE. Proceedings of the ACM SIGSOFT International Conference on Software Engineering (ICSE'09).
- ^ Wang, T.; Wei, T.; Gu, G.; Zou, W. (May 2010). "TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection". 2010 IEEE Symposium on Security and Privacy. pp. 497–512. CiteSeerX 10.1.1.169.7866. doi:10.1109/SP.2010.37. ISBN 978-1-4244-6894-2. S2CID 11898088.
- ^ Patrice Godefroid; Michael Y. Levin; David Molnar (2008-02-08). "Automated Whitebox Fuzz Testing" (PDF). Proceedings of Network and Distributed Systems Symposium (NDSS'08).
- ^ Marcel Böhme; Soumya Paul (2015-10-05). "A Probabilistic Analysis of the Efficiency of Automated Software Testing". IEEE Transactions on Software Engineering. 42 (4): 345–360. doi:10.1109/TSE.2015.2487274. S2CID 15927031.
- ^ Nick Stephens; John Grosen; Christopher Salls; Andrew Dutcher; Ruoyu Wang; Jacopo Corbetta; Yan Shoshitaishvili; Christopher Kruegel; Giovanni Vigna (2016-02-24). Driller: Augmenting. Fuzzing Through Selective Symbolic Execution (PDF). Proceedings of Network and Distributed Systems Symposium (NDSS'16).
- ^ Marcel Böhme; Van-Thuan Pham; Abhik Roychoudhury (2016-10-28). "Coverage-based Greybox Fuzzing as Markov Chain". Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security (CCS'16). pp. 1032–1043. doi:10.1145/2976749.2978428. ISBN 9781450341394. S2CID 3344888.
- ^ Hamlet, Richard G.; Taylor, Ross (December 1990). "Partition testing does not inspire confidence". IEEE Transactions on Software Engineering. 16 (12): 1402–1411. doi:10.1109/32.62448.
- ^ Weyuker, Elaine J. (1 November 1982). "On Testing Non-Testable Programs". The Computer Journal. 25 (4): 465–470. doi:10.1093/comjnl/25.4.465.
- ^ Barr, Earl T.; Harman, Mark; McMinn, Phil; Shahbaz, Muzammil; Yoo, Shin (1 May 2015). "The Oracle Problem in Software Testing: A Survey" (PDF). IEEE Transactions on Software Engineering. 41 (5): 507–525. doi:10.1109/TSE.2014.2372785. S2CID 7165993.
- ^ "Clang compiler documentation". clang.llvm.org. Retrieved 13 March 2017.
- ^ "GNU GCC sanitizer options". gcc.gnu.org. Retrieved 13 March 2017.
- ^ Orso, Alessandro; Xie, Tao (2008). "BERT". Proceedings of the 2008 international workshop on dynamic analysis: Held in conjunction with the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2008). ACM. pp. 36–42. doi:10.1145/1401827.1401835. ISBN 9781605580548. S2CID 7506576.
- ^ McKeeman, William M. (1998). "Differential Testing for Software" (PDF). Digital Technical Journal. 10 (1): 100–107. Archived from the original (PDF) on 2006-10-31.
- ^ Babić, Domagoj; Martignoni, Lorenzo; McCamant, Stephen; Song, Dawn (2011). "Statically-directed dynamic automated test generation". Proceedings of the 2011 International Symposium on Software Testing and Analysis. ACM. pp. 12–22. doi:10.1145/2001420.2001423. ISBN 9781450305624. S2CID 17344927.
- ^ a b Sesterhenn, Eric; Wever, Berend-Jan; Orrù, Michele; Vervier, Markus (19 Sep 2017). "Browser Security WhitePaper" (PDF). X41D SEC GmbH.
- ^ "Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)". Microsoft. 15 Oct 2017. Retrieved 31 August 2018.
- ^ "CERT Triage Tools". CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU). Retrieved 14 March 2017.
- ^ "Microsoft !exploitable Crash Analyzer". CodePlex. Retrieved 14 March 2017.
- ^ "Test Case Reduction". 2011-07-18.
- ^ "IBM Test Case Reduction Techniques". 2011-07-18. Archived from the original on 2016-01-10. Retrieved 2011-07-18.
- ^ Zeller, Andreas; Hildebrandt, Ralf (February 2002). "Simplifying and Isolating Failure-Inducing Input". IEEE Transactions on Software Engineering. 28 (2): 183–200. CiteSeerX 10.1.1.180.3357. doi:10.1109/32.988498. ISSN 0098-5589. Retrieved 14 March 2017.
- ^ Hazimeh, Ahmad; Herrera, Adrian; Payer, Mathias (2021-06-15). "Magma: A Ground-Truth Fuzzing Benchmark". Proceedings of the ACM on Measurement and Analysis of Computing Systems. 4 (3): 49:1–49:29. arXiv:2009.01120. doi:10.1145/3428334. S2CID 227230949.
- ^ Li, Yuwei; Ji, Shouling; Chen, Yuan; Liang, Sizhuang; Lee, Wei-Han; Chen, Yueyao; Lyu, Chenyang; Wu, Chunming; Beyah, Raheem; Cheng, Peng; Lu, Kangjie; Wang, Ting (2021). {UNIFUZZ}: A Holistic and Pragmatic {Metrics-Driven} Platform for Evaluating Fuzzers. pp. 2777–2794. ISBN 978-1-939133-24-3.
- ^ Hazimeh, Herrera & Payer 2021, p. 1: "We evaluate seven widely-used mutation-based fuzzers (AFL, ...)".
- ^ Li et al. 2021, p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ...".
- ^ Hazimeh, Herrera & Payer 2021, p. 1: "We evaluate seven widely-used mutation-based fuzzers (..., AFL++, ...)".
- ^ Li et al. 2021, p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, AFLFast, ...".
- ^ Li et al. 2021, p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., Angora, ...".
- ^ Hazimeh, Herrera & Payer 2021, p. 1: "We evaluate seven widely-used mutation-based fuzzers (..., honggfuzz, ...)".
- ^ Li et al. 2021, p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., Honggfuzz, ...".
- ^ Li et al. 2021, p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., QSYM, ...".
- ^ Hazimeh, Herrera & Payer 2021, p. 1: "We evaluate seven widely-used mutation-based fuzzers (..., and SymCC-AFL)".
- ^ Hazimeh, Herrera & Payer 2021, p. 14.
- ^ Li et al. 2021, p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., T-Fuzz, ...".
- ^ Li et al. 2021, p. 1: "Using UniFuzz, we conduct in-depth evaluations of several prominent fuzzers including AFL, ..., and VUzzer64.".
Further reading
- Nappa, A.; Blázquez, E. (2023). Fuzzing Against the Machine: Automate Vulnerability Research with Emulated IoT Devices on Qemu. Packt Publishing, Limited. ISBN 9781804614976. A comprehensive guide on automated vulnerability research with emulated IoT devices.
- Zeller, Andreas; Gopinath, Rahul; Böhme, Marcel; Fraser, Gordon; Holler, Christian (2019). The Fuzzing Book. Saarbrücken: CISPA + Saarland University. A free, online, introductory textbook on fuzzing.
- Ari Takanen, Jared D. DeMott, Charles Miller, Fuzzing for Software Security Testing and Quality Assurance, 2008, ISBN 978-1-59693-214-2
- Michael Sutton, Adam Greene, and Pedram Amini. Fuzzing: Brute Force Vulnerability Discovery, 2007, ISBN 0-321-44611-9.
- H. Pohl, Cost-Effective Identification of Zero-Day Vulnerabilities with the Aid of Threat Modeling and Fuzzing, 2011
- Fabien Duchene, Detection of Web Vulnerabilities via Model Inference assisted Evolutionary Fuzzing, 2014, PhD Thesis
- Bratus, S., Darley, T., Locasto, M., Patterson, M.L., Shapiro, R.B., Shubina, A., Beyond Planted Bugs in "Trusting Trust": The Input-Processing Frontier, IEEE Security & Privacy Vol 12, Issue 1, (Jan-Feb 2014), pp. 83–87—Basically highlights why fuzzing works so well: because the input is the controlling program of the interpreter.
External links
- Fuzzing Project, includes tutorials, a list of security-critical open-source projects, and other resources.
- University of Wisconsin Fuzz Testing (the original fuzz project) Source of papers and fuzz software.
- Designing Inputs That Make Software Fail, conference video including fuzzy testing
- Building 'Protocol Aware' Fuzzing Frameworks