Why Should You Use Fuzzing?
Fuzzing Testing is a technology that helps you ship secure software fast, by detecting security and stability issues in the earliest stages of the development process.
Fuzz Testing is a dynamic testing method used for finding functional bugs and security issues in software. During a fuzz test a program gets executed with invalid, unexpected, or random inputs, with the aim to crash the application. This is a particularly effective approach to detecting bugs and security vulnerabilities in software.
Modern, effortless fuzzing solutions can analyze the structure of the code they are supposed to test. They can generate thousands of automated test cases per second, and mark each path the inputs take through the program. This way a fuzzer gets details feedback about the code coverage, the inputs are reaching during the execution of the source code.
Once a fuzzing solution found an input that has caused a crash, they use mutation algorithms to generate even more inputs which can reproduce the finding with a high probability.
Modern fuzzers executes a program with invalid, unexpected, or random inputs. This way you can also cover unlikely or unexpected edge cases, that you would not cover with other testing approaches.
Because fuzzers actually execute the software under test, they always provide you inputs that you can use to reproduce the bug. That's why fuzzing enables you to reach up to 99% code coverage without any false positives. Fuzzing speeds up your development process and helps you to ship more reliable and secure software.
Due to increasing security regulations, more and more software companies have to run automated security tests before shipping their software. That's why many industry and ISO standards recommend integrating automated fuzz testing into the development process. Especially in industries, that already have advanced quality and security regulations. A good example are ISO/SAE 21434 and UNECE WP.29, which deal with the security of automotive software.
Fuzz testing finds bugs that other testing methods cannot detect. In November 2020 a serious DoS vulnerability was fixed in the source code of the Ethereum network due to advanced fuzz tests. In the wrong hands, this vulnerability (CVE-2020-28362) could have caused the entire shout down of the Ethereum network. Although the memory-safe Golang module has already undergone extensive security testing, this vulnerability could only be found through fuzz testing.
Fuzz targets are small programs that test predefined API functions, similar to unit tests. However, the inputs are not provided by the developer but produced with the fuzz generators. The generators are responsible for creating random mutations of inputs that are sent to the software under test (SUT). The output of a fuzz generator (i.e. random inputs) is then sent to the SUT. The delivery mechanism processes inputs from fuzz generator and feeds them to SUT for execution.
Finally, the monitoring system keeps track of how the inputs are executed within SUT and detects triggered bugs, which plays a critical part in the fuzzing process as it also influences what types of vulnerabilities can be discovered during fuzzing.
If you are looking for a way to secure your software, there are a variety of testing approaches, such as Static Applications Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and Feedback-based Application Security Testing (FAST). Each of these methods has its advantages and disadvantages. We have collected some of them in the table below.
Fuzz Testing compared to other Application Security Testing approaches, such as SAST, DAST and IAST.
Since 2018, Code intelligence provides a platform for automated fuzz testing. Working closely together with industry and academia, engineers at Code Intelligence were able to find thousands of bugs and extended the reach of modern fuzz testing to a variety of different use cases. Here, you will find an overview of some of the bug classes that the CI team found over the past years.
The difference between black-box-fuzzing and white-box-fuzzing.
Developers can benefit from a whole range of open-source fuzzing tools. There are often specialized for specific use cases (e.g. Kernel fuzzing) or programming languages. But there are also a few commercial solutions that become relevant if you're working in larger development teams or DevOps environments. Usually they come with more integrations and features, such as automated bug reporting, CI/CD and dev tool integration, Web API fuzzing, or OWASP vulnerability detection.
Open Source Fuzzers:
Try to start with an open-source fuzzer like Atheris (for Python) or Jazzer (for Java). If you’re feeling more comfortable with the testing approach and want to try fuzzing in a more complex environment, there are plenty of enterprise solutions, like CI Fuzz, that come with many additional features like reporting, CI/CD, dev tool integration and WebAPI fuzzing. It’s really not that hard, and it will instantly improve your code quality.
Learn how every developer can secure any Java library ins less than 3 minutes.