Fuzzing: Finding vulnerabilities in Software

Fuzzing is a well known term amongst security people, because of the buzz created around last few years and the impressive results it has given.

According to the Wikipedia articleFuzzing is a technique for testing software, by providing random data as input and monitoring if the program will fail -by crashing or consuming high system resources. If this happens, this means there are defects to correct.

As it is quoted on the wikipedia entry, Unexpected input causes unexpected results. In fuzzing, you are somehow creating 'rough clients', that send input a normal client wouldn't.


There are fuzzing frameworks and programs that create "rough clients" for almost everything, including

  • operating system kernels (eg test syscalls)
  • file formats (eg pdf, doc, images, sound, video)
  • executables
  • network daemons (eg fuzz apache, IIS, Vmware Server)
  • network protocols (eg tcp/ip)
  • command utilities arguments
  • device drivers (eg Wifi cards)
  • web application
  • misc (COM Object Interfaces)
  • whatever_else_you_might_imagine

Fuzzing is an unbelievable technique for testing software, meaning that you have to see it yourself to believe that it actually works :)

This is something I have read several times but only had the chance to see in front of my eyes some months ago, when I was encouraged to create a prototype for a python module fuzzer. The fuzzer would try to call all classes and functions of a python module, with random arguments (such as None, False, big integers, or big strings) after it had found out the number of arguments a function needs. This was a rough prototype, very specialized to one thing (fuzzing python modules) and was created/used for two days, yet it resulted in the discovery of some tenths of segmentation faults in well known python modules, including GUI toolkits, as wxwidgets , Scientific software scipy and pygame .

 All of the above are python modules written in C, that's why they result in python crashing with segmentation fault -python modules can be written in many programming languages, including C.

How it all started

Fuzz testing was developed at the University of Wisconsin-Madison in 1988/89 by Professor Barton Miller , that created the legendary program fuzz, that would send random data to Unix command line utilities. Surprisingly, most of the programs and command line utilities he tested resulted in segmentation fault or heavy resources usage!

One great presentation about fuzzing was written by Ilja van Sprundel and is here. Another epic presentation is The Art of File Format Fuzzing. Neat!

 A good list of fuzzing software can be found in the page made for the book Fuzzing: Brute Force Vulnerability Discovery. This is one of the two mainstream books that focus 100% on fuzzing, at least to my knowledge. The other book is Open Source Fuzzing Tools by Noam Rathaus and Gadi Evron.

Amongst other fuzzers I would like to mention fusil, due to the fact that it seems to be more actively developed, than other more famous fuzzers. Fusil is a powerful fuzzing framework that has many ways to create and detect a program crash and the framework comes with available fuzzing projects, such as those for fuzzing ClamAV, Firefox, mplayer, php.

As any fuzzing project that respects itself, fusil contains a crash list , aka a page with programs crashed using the framework/tool! If you look at the related lists for other fuzzers, like SPIKE, Peach or zzuf you'll realize that most of the high profile servers, programs or protocols have been crashed one or several times and bugs were found with fuzzing software!

As a fuzzing framework, fusil is MUCH harder to use that a fuzzing program that targets a single entity (protocol or program). I would really like to write a GUI or web front-end for fusil, to facilitate the process of using fusil. I have contacted the author which was very kind and helpful, so at the near future I shall start working on this - time is the enemy here.

Another great fuzzer software is zzuf, that makes it easy to test a program, you just run zzuf with a few arguments and the program you want to fuzz (eg Internet Explorer). See the rest for yourself!

Zzuf and a few other fuzzers are straightforward and easy to use, however fuzzing isn't by far a plug n play area. Most of the times deep knowledge of the file format/program/protocol that is going to be tested is needed in the case of serious vulnerability testing with fuzzing.

Above all, have fun!





Posted by Michael on October 09, 2008 at 06:19 PM EEST #

Post a Comment:
  • HTML Syntax: NOT allowed