Fuzzing: To Find Software Vulnerabilities

The main goal of this approach is to find vulnerabilities before an actual attacker does. "Fuzzing" comes from the idea of generating randomized input that would typically not come up during normal operation of a system.

As we give it unexpected (potentially malicious) input, we may be able to coerce the application into providing us error messages that can be used to gain insight about its inner workings, or running branches of code that set the system in a vulnerable state that can later be exploited.

As you generate and give those inputs to a system, you must carefully interpret reponses, as an attacker would, to see what kind of error arises and assess the state of the system. Tools able to determine whether there is an exploit just by looking at a set of output error messages, already exist. So, most of the work focuses on generating system specific inputs that would expose a vulnerability, in a reasonable amount of time.

There are three main fuzzing methods, which differ essentially on the input generation technique they use:

• Mutation-based Fuzzing
• Generation-based Fuzzing
• Adaptive-based Fuzzing

Mutation-based Fuzzing

The input is generated from taking existing data (test cases, logs or user sessions) and simply adding anomalies to it.

Advantages:

• Does not require any knowledge about the system's code or architecture.

Disadvantages:

• Easily caught by default input validation.

• Input generation is dependent on existing input.

Generation-based Fuzzing

The input is generated from a specification or some description of what good input looks like.

Advantages:

• Knowledge about the kinds of input accepted by the application may reduce the amount of effort needed to find a vulnerability.

Disadvantages:

• Takes additional time to set up.
• Building input generator from a specification is more complicated than just adding anomalies to an initial input.

Adaptive-based Fuzzing

The input is tweaked iteratively, based on the system's code, architecture and careful interpretation of reponses induced by previous inputs.

Advantages:

• Target parts of the code that might not have been carefully tested.
• Exposes misconfigured permissions and anomalous states.

Disadvantages:

• Takes significantly longer time.
• Requires a lot more effort than the previous methods.
• Code analysis tools may be needed to make clear what kind of input has potential to subvert the application.