Menu

What is Fuzzing?

Example of an image parser fuzz test

Example: Fuzzing an image parser application

Modern Fuzzing

Modern fuzzing is used for security and stability testing of the codebase. The software under test is fed with a series of inputs, which are purposefully mutated in the testing process. The testing tool gets feedback about the code covered during the execution of inputs. Unlike traditional or black-box fuzzing, feedback-based fuzzing explores the program state efficiently and discovers bugs hidden deep in the code.

Learn more about Fuzzing

Practical Limitations of Fuzzing

Fuzzing is hard to integrate into existing development environments. The integration requires fuzzing and domain knowledge. Existing tools are usually from fuzzing experts for other fuzzing experts and therefore hard to use. These limitations have encouraged us to create a solution for developers and experts alike.

Learn more about CI Fuzz
The pros and cons of fuzzing

Fuzzing in Standards

Fuzzing is recommended by various industry standards and norms - often even mandatory.

  •  
  • ISO/IEC/IEEE 29119
    Software and systems engineering - Software testing
  • ISO/IEC 12207
  • Systems and software engineering – Software life cycle processes
  • ISO 27001
    Information technology – Security techniques – Information security management systems
  • ISO 22301
    Security and resilience — Business continuity management systems
  • IT-Grundschutz (Germany)
    Based on ISO 27001
  • and others

Bugs & Vulnerabilities found with Fuzzing:

fuzz testing for Microsoft fuzz testing for linux fuzz testing for chrome

History of Modern Fuzzing

First Introduction of Fuzzing

  • Generation of random inputs
  • Monitoring for crashes, failed built-in code assertions or memory leaks
  • Takes very long to find complex or deeply hidden bugs in the program

1980

AFL Introduced Modern Fuzzing

  • Introduction of feedback-based fuzzing to academia
  • Uses not only randomized inputs but also intelligent algorithms to generate inputs
  • Increased code coverage significantly

2015

Modern Fuzzing Superior in Bug Discovery

  • With modern fuzzing, countless bugs and vulnerabilities have been discovered
  • Google finds 80 % of its bugs with fuzzing alone 16,000 in Google Chrome
  • 11,000 bugs in 160 open source projects

2019

CI Fuzz Platform

  • Until today, fuzzing could only be used by experts
  • CI Fuzz enables experts and developers alike to use fuzzing
  • Unique combination of the latest breakthrough technologies

2020

Advanced Technology

CI Fuzz is based on advanced technology and comes with convincing features and usable design.
  • Feedback-based fuzzing
    based on instrumentations for common -processor -architectures
  • Support for the most important -architecture
    such as X86/64, ARM, AARCH64, MIPS or MIPS64
  • No reliance on source code
    based on advanced binary translation and -instrumentation techniques
  • Scalability
    of running tests in virtual environment
  • Effortless Fuzzing via -different -interfaces
    like networks, files, and devices
  • Virtualization and platform-agnostic
    due to the usage of QEMU (customizable -virtualization software)
  • Simulation of widely used peripherals
    such as WIFI, Bluetooth, CANBus or Serial interfaces
  • Low false-positive rate
    due to actual execution of the code rather than -static analysis based on patterns and data flows
  • Structure-aware fuzzing
    to trigger deep states in programs that use custom data types such in network protocols. CI Fuzz comes with a set of predefined structures to handle several formats and protocols (JSON/XML/YAML/CSV/...).
  • Stateful fuzzing
    Support for fuzzing stateful applications that require exchange of several messages of a given format to trigger deep states in the code. 
Technology Stack

Get a live demo of how feedback-based fuzzing works!

Get Started