review articles
FUZZING, OR FUZZ TESTING, is the process of finding
security vulnerabilities in input-parsing code by
repeatedly testing the parser with modified, or fuzzed,
inputs. 35 Since the early 2000s, fuzzing has become a
mainstream practice in assessing software security.
Thousands of security vulnerabilities have been
found while fuzzing all kinds of software applications
for processing documents, images, sounds, videos,
network packets, Web pages, among others.
These applications must deal with untrusted inputs
encoded in complex data formats. For
example, the Microsoft Windows oper-
ating system supports over 360 file for-
mats and includes millions of lines of
code just to handle all of these.
Most of the code to process such
files and packets evolved over the last
20+ years. It is large, complex, and
written in C/C++ for performance
reasons. If an attacker could trigger
a buffer-overflow bug in one of these
applications, s/he could corrupt the
memory of the application and pos-
sibly hijack its execution to run ma-
licious code (elevation-of-privilege
attack), or steal internal information
(information-disclosure attack), or
simply crash the application (denial-
of-service attack). 9 Such attacks might
be launched by tricking the victim
into opening a single malicious docu-
ment, image, or Web page. If you are
reading this article on an electronic
device, you are using a PDF and JPEG
parser in order to see Figure 1.
Buffer-overflows are examples of
security vulnerabilities: they are pro-
gramming errors, or bugs, and typi-
cally triggered only in specific hard-
to-find corner cases. In contrast, an
exploit is a piece of code which triggers
a security vulnerability and then takes
advantage of it for malicious purposes.
When exploitable, a security vulner-
ability is like an unintended backdoor
in a software application that lets an
attacker enter the victim’s device.
There are approximately three main
ways to detect security vulnerabilities
in software.
Static program analyzers are tools
that automatically inspect code and
Fuzzing:
Hack,
Art, and
Science
DOI: 10.1145/3363824
Reviewing software testing techniques for
finding security vulnerabilities.
BY PATRICE GODEFROID
key insights
˽ Fuzzing means automatic test generation
and execution with the goal of finding
security vulnerabilities.
˽ Over the last two decades, fuzzing has
become a mainstay in software security.
Thousands of security vulnerabilities in
all kinds of software have been found
using fuzzing.
˽ If you develop software that may process
untrusted inputs and have never used
fuzzing, you probably should.