FUZZING: Automating Bug Detection
Sometimes hacking isn’t about taking a program apart: It’s about throwing random objects at it to see what breaks.
What is Fuzzing?
Fuzzing is the art of automatic bug detection. It is an automated process of finding hackable software bugs by randomly feeding different permutations of data into a target program until one of those permutations reveals a vulnerability.
The goal of fuzzing is to stress the application by throwing invalid, unexpected, or random data as inputs and cause unexpected behavior, resource leaks, or crashes.
Threat actors use fuzzing to find zero-day exploits — this is known as a fuzzing attack. Security professionals, on the other hand, leverage fuzzing techniques to assess the security and stability of applications.
Why do we need Fuzz Testing?
- Fuzzing is highly useful for developers. The role of developers is to develop and improve product features. While traditional security tools only point out flaws, fuzzers show the result of the flaw and demonstrate the impact of solving it.
- Fuzzing does not just identify the problem, it also shows the cause of the problem and how an attacker may interact with it in a real-life attack.
- Fuzzing proves a vulnerability exists, identifying problems without having to sift through false positives.
- Fuzzing is fully automated, and can run independently for days or even weeks, identifying more and more vulnerabilities in a system under test.
Types of Fuzzing Applications
Fuzzing applications are useful because they help automate the following activities:
- Mutation: This is where the application takes existing user input and then alters it slightly. As a result, the fuzzer can create new conditions and input them hundreds of times a second. By mangling user input and throwing it at the server, the fuzzer helps red teamers, blue teamers and programmers become confident that an application can handle multiple forms of abuse.
- Protocol Modification: Instead of modifying existing input, generation-based fuzzing delves deeply into the protocols used. It then generates random traffic based on the traffic it discovers.
How Does Application Fuzzing Work?
As we established above, fuzzing software is a great tool capable of finding zero-day vulnerabilities, but how does a fuzzer work?
1. Generating Test Cases
First, test cases are generated. Each security test case can be generated as a random, or semi-random data set, and then sent as input to the application.
The data set can be either generated in conformance to the format requirements of the system’s input, or as a completely malformed chunk of data the system was not meant to understand or process.
What do you think would happen to an application if negative numbers, null characters, or even special characters, were sent to some input fields? Do you know how your application would behave?
2. Interfacing with the Target to Deliver the Input
While fuzz testing, a fuzzer can interface with an application, a protocol, or a file format. While doing that, a fuzzer sends test cases to the target over the network or via a command-line argument of a running application.
Imaginative use cases can reveal ways to expose a relevant piece of code with the right specific data.
3. Monitoring the System to Detect Crashes
The success of a fuzz test is measured by the ability to confirm the impact that a fuzzer has on the targeted application.
What Can Fuzzing Applications Catch?
Fuzzing applications can catch anything that a talented analyst or programmer can catch. At least, that’s the intention.
The usual things that fuzzers look for include:
- Invalid (or, unexpected) input
- Conditions that lead to injection attacks
- Memory leaks, where an application exposes how a system is allocating memory
- Information leakage, where an application reveals the inner workings of its own operations or the operations of the server where it resides
- Cross-domain scripting, where an application forces a victim (e.g., your browser) to send an HTTP request to a target destination without the victim’s knowledge, resulting in the leakage of sensitive information (e.g., usernames and passwords) or other data that compromises devices and servers
Adding AI promises to make the tools easier to use and more flexible.
So in the end, is fuzzing a hack, an art, or a science? Well, in practice, it is a bit of all three, depending on the situation or technique used.
The bottom line is this: If you develop software that may process untrusted inputs (that an attacker could control) and have never used fuzzing, you probably should!
Happy Fuzzing!
