1

fuzz testing == fuzzing �

“The original work was inspired by being logged on to a modem during a storm with lots of line noise. And the line noise was generating junk characters that seemingly were causing programs to crash. The noise suggested the term ‘fuzz’.” --Barton Miller

Defn (IEEE Standard Glossary of Software Engineering Terminology)�“The degree to which a system or component can function �correctly in the presence of invalid inputs or stressful�environmental conditions.”�

The basic idea�

fuzzer

2

Complex data formats�image, sound, video, etc. files�

Protocols�

What to�

object code / bytecode�

network protocols (TCP/IP, http, key exchange, SSL, etc.)�database (SQL)�

User-provided files�

Mutation Fuzzers�the “dumb” fuzzers

Generative Fuzzers�intelligence comes with a price…�

Two Types of Fuzzers�

The basis of fuzzing…� test cases

3

Why Fuzz?�

What does the fuzzer do?�bit flipping remove bit segments�

Mutation Fuzzers�

User fuzzer

Mutated Test

Case(s)

insert bit segments�

Example: ______ �

sometimes uses heuristics�

4

What does the user specify?�data model state model�

Generative Fuzzers�

User

fuzzer Mutated

Test Case(s)

Example: ________ fuzzer�

Downside – complex to use�

Test the unusual�

The Good, the Bad, & the Ugly�

Large number of test cases�

Complexity of input difficult to capture�

Tedious configuration �

Correctness?�

5

Some “Fuzzy” Links�

Peach Fuzzer�http://peachfuzzer.com

Jester�http://jester.sourceforge.net

Taof (the art of fuzz testing)�http://sourceforge.net/projects/taof

zzuf Fuzzer�http://caca.zoy.org/wiki/zzuf