What is Fuzzing?

Example of an image parser fuzz test

Example: Fuzzing an image parser application

Modern Fuzzing

Modern fuzzing is used for security and stability testing of the codebase. The software under test is fed with a series of inputs, which are purposefully mutated in the testing process. The testing tool gets feedback about the code covered during the execution of inputs. Unlike traditional or black-box fuzzing, feedback-based fuzzing explores the program state efficiently and discovers bugs hidden deep in the code.

Learn more about Fuzzing

Practical Limitations of Fuzzing

Fuzzing is hard to integrate into existing development environments. The integration requires fuzzing and domain knowledge. Existing tools are usually from fuzzing experts for other fuzzing experts and therefore hard to use. These limitations have encouraged us to create a solution for developers and experts alike.

Learn more about CI Fuzz
The pros and cons of fuzzing

Fuzzing in Standards

Fuzzing is recommended by various industry standards and norms - often even mandatory.

  • ISO/IEC/IEEE 29119
    Software and systems engineering - Software testing
  • ISO/IEC 12207
  • Systems and software engineering – Software life cycle processes
  • ISO 27001
    Information technology – Security techniques – Information security management systems
  • ISO 22301
    Security and resilience — Business continuity management systems
  • IT-Grundschutz (Germany)
    Based on ISO 27001
  • and others

Bugs & Vulnerabilities found with Fuzzing:

Advanced Technology

CI Fuzz is based on advanced technology and comes with convincing features and usable design.
  • Feedback-based fuzzing
    based on instrumentations for common -processor -architectures
  • Support for the most important -architecture
    such as X86/64, ARM, AARCH64, MIPS or MIPS64
  • No reliance on source code
    based on advanced binary translation and -instrumentation techniques
  • Scalability
    of running tests in virtual environment
  • Effortless Fuzzing via -different -interfaces
    like networks, files, and devices
  • Virtualization and platform-agnostic
    due to the usage of QEMU (customizable -virtualization software)
  • Simulation of widely used peripherals
    such as WIFI, Bluetooth, CANBus or Serial interfaces
  • Low false-positive rate
    due to actual execution of the code rather than -static analysis based on patterns and data flows
  • Structure-aware fuzzing
    to trigger deep states in programs that use custom data types such in network protocols. CI Fuzz comes with a set of predefined structures to handle several formats and protocols (JSON/XML/YAML/CSV/...).
  • Stateful fuzzing
    Support for fuzzing stateful applications that require exchange of several messages of a given format to trigger deep states in the code. 
Technology Stack