Communications of the ACM

review articles

FUZZING, OR FUZZ TESTING, is the process of finding security vulnerabilities in input-parsing code by repeatedly testing the parser with modified, or fuzzed, inputs. 35 Since the early 2000s, fuzzing has become a mainstream practice in assessing software security.

Thousands of security vulnerabilities have been found while fuzzing all kinds of software applications for processing documents, images, sounds, videos, network packets, Web pages, among others.

These applications must deal with untrusted inputs
encoded in complex data formats. For
example, the Microsoft Windows oper-
ating system supports over 360 file for-
mats and includes millions of lines of
code just to handle all of these.
Most of the code to process such
files and packets evolved over the last
20+ years. It is large, complex, and
written in C/C++ for performance
reasons. If an attacker could trigger
a buffer-overflow bug in one of these
applications, s/he could corrupt the
memory of the application and pos-
sibly hijack its execution to run ma-
licious code (elevation-of-privilege
attack), or steal internal information
(information-disclosure attack), or
simply crash the application (denial-
of-service attack). 9 Such attacks might
be launched by tricking the victim
into opening a single malicious docu-
ment, image, or Web page. If you are
reading this article on an electronic
device, you are using a PDF and JPEG
parser in order to see Figure 1.
Buffer-overflows are examples of
security vulnerabilities: they are pro-
gramming errors, or bugs, and typi-
cally triggered only in specific hard-
to-find corner cases. In contrast, an
exploit is a piece of code which triggers
a security vulnerability and then takes
advantage of it for malicious purposes.
When exploitable, a security vulner-
ability is like an unintended backdoor
in a software application that lets an
attacker enter the victim’s device.

There are approximately three main ways to detect security vulnerabilities in software.

Static program analyzers are tools that automatically inspect code and

Fuzzing:

Hack,
Art, and
Science
DOI: 10.1145/3363824

Reviewing software testing techniques for finding security vulnerabilities.

BY PATRICE GODEFROID

key insights

˽ Fuzzing means automatic test generation and execution with the goal of finding security vulnerabilities.

˽ Over the last two decades, fuzzing has become a mainstay in software security. Thousands of security vulnerabilities in all kinds of software have been found using fuzzing.