Modern fuzz testing is one of the most effective methods to find bugs and vulnerabilities in software. It is so effective because it runs the application with dynamic inputs to provoke unexpected or erroneous behavior. Modern fuzzing engines can also retrieve feedback from previous inputs to generate new and more advanced fuzzing queries. They are optimized to improve your code coverage and detect all types of bug classes.
Since 2018, Code intelligence provides a platform for automated fuzz testing. Working closely together with industry and academia, the engineers at Code Intelligence were able to extend the reach of modern fuzz testing to a variety of different use cases. In this article, you will find an overview of some of the bug classes that the CI team found over the past years.*
* Please note that for confidential reasons, not all findings are included in this blog. If you are interested in a specific bug class, please contact our experts.
List of bugs and CWEs that CI Fuzz found in C/C++ software (click to enlarge)
Info Box: Fuzzing With Sanitizers
Some bugs can not be detected by fuzzing alone. To trigger these more complex vulnerabilities, you will have to use additional sanitizers. For example, ThreadSanitizer for race conditions, or AddressSanitizer for memory buffer errors. These sanitizers are software libraries that you compile into your code to make your program crash more often. The CI Fuzz testing platform can help you to set up and configure those sanitizers, in order to improve your code coverage. Click here to learn more about sanitizers.
Fuzz testing is also an effective approach for finding security vulnerabilities in memory-safe languages. With our fuzzing engine for Java, we regularly uncover all kinds of bugs in JVM-based customer projects. Here is a list of some typical bugs we find in Java applications:
Although our fuzzing engine already uncovers a large variety of different bug classes, we are constantly improving and fine-tuning our platform, to make security testing more usable and accessible for everyone. For an in-depth look at the tech that Code Intelligence offers, you can check out our product tour or download one of our sample bug reports.
CI Fuzz bug report [PDF]