fuzz testing == fuzzing - cs deptcs.uwlax.edu/~riley/cs456s12/handouts/6.2_fuzzing.pdf1! fuzz...
TRANSCRIPT
1
fuzz testing == fuzzing �
“The original work was inspired by being logged on to a modem during a storm with lots of line noise. And the line noise was generating junk characters that seemingly were causing programs to crash. The noise suggested the term ‘fuzz’.” --Barton Miller
Defn (IEEE Standard Glossary of Software Engineering Terminology)�“The degree to which a system or component can function �correctly in the presence of invalid inputs or stressful�environmental conditions.”�
The basic idea�
fuzzer
2
Complex data formats�image, sound, video, etc. files�
Protocols�
What to�
object code / bytecode�
network protocols (TCP/IP, http, key exchange, SSL, etc.)�database (SQL)�
User-provided files�
Mutation Fuzzers�the “dumb” fuzzers
Generative Fuzzers�intelligence comes with a price…�
Two Types of Fuzzers�
The basis of fuzzing…� test cases
3
Why Fuzz?�
What does the fuzzer do?�bit flipping remove bit segments�
Mutation Fuzzers�
User fuzzer
Mutated Test
Case(s)
insert bit segments�
Example: ______ �
sometimes uses heuristics�
4
What does the user specify?�data model state model�
Generative Fuzzers�
User
fuzzer Mutated
Test Case(s)
Example: ________ fuzzer�
Downside – complex to use�
Test the unusual�
The Good, the Bad, & the Ugly�
Large number of test cases�
Complexity of input difficult to capture�
Tedious configuration �
Correctness?�
5
Some “Fuzzy” Links�
Peach Fuzzer�http://peachfuzzer.com
Jester�http://jester.sourceforge.net
Taof (the art of fuzz testing)�http://sourceforge.net/projects/taof
zzuf Fuzzer�http://caca.zoy.org/wiki/zzuf