Menu

Fuzzing 101 – The Basics (FAQ)

August 26 2021

Many developers are already familiar with fuzz testing. But if you are kind of new to this topic, this article provides an overview of the current state of fuzzing technology and some tips on how it can be implemented.

What Is Fuzzing? 

Fuzzing is a dynamic testing method used for identifying bugs and vulnerabilities in software. It is mainly used for security and stability testing of the codebase. The software under test is fed with a series of inputs, which are purposefully mutated in the testing process.

The fuzzer then gets feedback about the code covered during the execution of inputs. Unlike security testing with just randomized inputs, feedback-based fuzzing explores the program state efficiently and discovers all kinds of bugs hidden deep within the code. 

Why Is Fuzzing (Especially) Useful for Security Testing? 

There are some characteristics that make fuzzing extremely useful for security testing. Here is why:

  • Fuzzing is an almost completely automated testing approach.
  • Fuzzing can be used for black-box AND white-box testing (on the source code).
  • Fuzzing does not only detect the vulnerabilities but also provides you with the dynamic inputs that caused the error messages.
  • Fuzzing identifies bugs reliably without false positives.

What Is Feedback-Based Fuzzing? 

Modern fuzzing engines use smart algorithms tailoring the input to increase the amount of code that is tested with the fuzzer. The commonly used term for this is feedback-driven or feedback-based fuzzing. 

Feedback-based fuzzing uses code coverage information when generating new inputs. Due to measuring code coverage, the fuzzer can monitor which parts of the program were reached with a given input and reach other program parts by generating similar inputs with random but small changes. 

Fuzzing C/C++

Since fuzzing is tremendously effective at securing Memory Corruptions and other C/C++-typical vulnerabilities, it is highly popular among C/C++ developers.  Google's open-source fuzzer OSS-Fuzz, was able to single-handedly uncover over 50 000 bugs in 300+ open-source applications, in just three years. The majority of these applications were written in C/C++. However, the great track record of C/C++-fuzzing, caused some people to falsely assume that finding memory corruptions in C/C++ is the only thing that fuzzing is good at. 

Fuzzing Java, Kotlin & Go

The false belief that fuzzing is only useful to uncover memory-corruptions in C/C++ has long been debunked. While it might have been true at one point in time, fuzzing is nowadays used in a variety of memory-safe languages, such as Java, Kotlin, and Go. At Code Intelligence, we open-sourced our very own Java fuzzer, Jazzer, which has since been integrated into Google's OSS-Fuzz.

Another misconception surrounding memory-safe languages is that they are inherently secure. Yes, memory-safe languages use runtime error prevention mechanisms, which basically make them immune to memory corruptions. However, there is a variety of other bug classes that endanger memory-safe languages such as Cross-Site-Scripting (XXS), Denial-of-Services (DoS) and Wrong Handled Exceptions, just to name a few.

How to Set Up Continuous Fuzzing

The effort required to set up a continuous fuzzing cycle with open-source fuzzers is often underestimated. It requires a huge amount of manual configuration and maintenance, while usually not delivering the same results as an enterprise solution. With an enterprise solution, the set-up can be done much faster by simply following an installation manual.

Debugging After a Fuzz Test

Modern fuzzing tools enable debugging with a few simple clicks. Since the code is executed during fuzz testing, the crashing input can easily be identified. As presented below, modern fuzzing platforms can immediately take users to the section of the code and set break-points in the stack trace, which enables effortless debugging.

Debugging Software

Fuzzing for DevOps Teams

If you are interested in an enterprise fuzzing solution, our fuzzing platform CI Fuzz might be just the right thing for you. CI Fuzz can easily be integrated into your CI/CD, where it enables developers to fuzz and debug your code continuously.

Learn More

 

What's Next? - Fuzz Your First Application

This article summarized the basics of fuzz testing. Now you'll probably want to get hands-on experience yourself. But where to start? I would recommend beginning with fuzzing a couple of open-source projects first. This way, you can familiarize yourself with the technology and contribute to the community.

Watch CI Fuzz Demo

You can follow this tutorial by Patrick Ventuzelo, who fuzzed a popular open-source project (JSoup), with Jazzer, a coverage guided fuzzer for JVM based languages (Java, Kotlin, etc.).  

Video: Fuzzing Java code (JSoup) using Jazzer fuzzer

Recent Posts

One Year of Fuzzing and Fixing Suricata

Autofuzz: Fuzzing Without Writing Fuzz Targets or Harnesses

Fuzzing 101 – The Basics (FAQ)

19 Bugs in Jsoup Found With Jazzer

Share Article

Subscribe to updates