O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Open Source Fuzzing Tools

Book Description

Fuzzing is often described as a “black box” software testing technique. It works by automatically feeding a program multiple input iterations in an attempt to trigger an internal error indicative of a bug, and potentially crash it. Such program errors and crashes are indicative of the existence of a security vulnerability, which can later be researched and fixed.

Fuzz testing is now making a transition from a hacker-grown tool to a commercial-grade product. There are many different types of applications that can be fuzzed, many different ways they can be fuzzed, and a variety of different problems that can be uncovered. There are also problems that arise during fuzzing; when is enough enough? These issues and many others are fully explored.
  • Fuzzing is a fast-growing field with increasing commercial interest (7 vendors unveiled fuzzing products last year).
  • Vendors today are looking for solutions to the ever increasing threat of vulnerabilities. Fuzzing looks for these vulnerabilities automatically, before they are known, and eliminates them before release.
  • Software developers face an increasing demand to produce secure applications---and they are looking for any information to help them do that.

Table of Contents

  1. Copyright
  2. Contributing Authors
  3. 1. Introduction to Vulnerability Research
    1. Statement of Scope
    2. Off-by-One Errors
    3. Programming Language Use Errors
    4. Integer Overflows
    5. Bugs and Vulnerabilities
    6. The Vaunted Buffer Overflow
      1. Buffer Overflow on the Stack (aka Stack-based Buffer Overflow)
      2. Stack Overflow (aka Unbounded Recursion)
    7. Finding Bugs and Vulnerabilities
      1. Source Code Review
      2. Black Box Testing
      3. Glass Box Testing
  4. 2. Fuzzing—What’s That?
    1. Introduction
    2. Introduction to Fuzzing
    3. Milestones in Fuzzing
    4. Fuzzing Technology
      1. Traffic Sniffing
      2. Prepared Template
    5. Second-Generation Fuzzing
      1. Robustness
      2. Technical Advances
    6. File Fuzzing
    7. Host-side Monitoring
    8. Vulnerability Scanners as Fuzzers
    9. Uses of Fuzzing
    10. Open Source Fuzzers
    11. Commercial-Grade Fuzzers
      1. Codenomicon
      2. Beyond Security
      3. muSecurity
    12. What Comes Next
    13. The Software Development Life Cycle
  5. 3. Building a Fuzzing Environment
    1. Introduction
      1. Knowing What to Ask...
    2. Basic Tools and Setup
    3. Data Points
    4. Crash Dumps
    5. Fuzzer Output
    6. Debuggers
      1. Recon Tools
        1. Windows
          1. Process Monitor
        2. PsTools
      2. Linux
        1. Valgrind
        2. strace
      3. OSX
        1. Xcode
    7. Summary
  6. 4. Open Source Fuzzing Tools
    1. Introduction
      1. Frameworks
        1. Peach Fuzzer—http://peachfuzz.sourceforge.net/
        2. (L)ibrary (E)xploit API – lxapi—http://lxapi.sourceforge.net/
        3. Autodafe—http://autodafe.sourceforge.net/
        4. RIOT and faultmon—http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip
        5. Scratch—http://packetstormsecurity.org/UNIX/misc/scratch.rar
        6. antiparser—http://antiparser.sourceforge.net/
        7. dfuz—www.genexx.org/dfuz/
      2. Special-Purpose Tools
        1. fuzz—http://pages.cs.wisc.edu/~bart/fuzz/fuzz.html
        2. SPIKE Proxy—www.immunitysec.com/resources-freesoftware.shtml (Web applications)
        3. AxMan—www.metasploit.com/users/hdm/tools/axman/ (ActiveX)
        4. Mangle—http://lcamtuf.coredump.cx/ - HTML file fuzzer
        5. screamingCobra—http://samy.pl/scobra/README.txt (Web applications)
        6. WebFuzzer—http://gunzip.altervista.org/g.php?f=projects#webfuzzer (Web applications)
        7. ip6sic—http://ip6sic.sourceforge.net/
        8. BlueTooth Stack Smasher (BSS)—www.secuobs.com/news/05022006-bluetooth10.shtml
        9. Radius Fuzzer—www.suse.de/~thomas/projects/radius-fuzzer/
        10. COMRaider—http://labs.idefense.com/software/fuzzing.php
        11. fuzzball2—www.nologin.net/main.pl?action=codeView&codeId=54&
      3. General-Purpose Tools
        1. TAOF—www.theartoffuzzing.com/joomla/index.php?option=com_content&task=view&id=16&Itemid=35
        2. SPIKE—www.immunitysec.com/resources-freesoftware.shtml
        3. FileFuzz—http://labs.idefense.com/software/fuzzing.php
        4. SPIKEFile—http://labs.idefense.com/software/fuzzing.php
        5. notSPIKEFile—http://labs.idefense.com/software/fuzzing.php
        6. eFuzz—http://packetstormsecurity.org/Win2k/efuzz01.zip
        7. Blackops Fuzzing Tools—www.blackops.cn/tools/
  7. 5. Commercial Fuzzing Solutions
    1. Introduction
      1. beSTORM (by Beyond Security)
      2. BPS-1000 (by BreakingPoint Systems)
      3. Codenomicon
      4. Mu-4000 Security Analyzer (by Mu Security)
  8. 6. Build Your Own Fuzzer
    1. Hold Your Horses
    2. Fuzzer Building Blocks
      1. One or More Valid Data Sets
      2. Understanding What Each Byte in the Data Set Means
      3. Change the Values of the Data Sets While Maintaining the Integrity of the Data Being Sent
      4. Recreate the Same Malformed Data Set Time and Time Again
      5. An Arsenal of Malformed Values, or the Ability to Create a Variety of Malformed Outputs
      6. Maintain a Form of a State Machine
      7. Summarize
    3. Down to Business
    4. Simplest Fuzz Testing Find Issues
  9. 7. Integration of Fuzzing in the Development Cycle
    1. Introduction
    2. Why Is Fuzzing Important to Include in a Software Development Cycle?
      1. Security Testing Workload
    3. Setting Expectations for Fuzzers in a Software Development Lifecycle
      1. Fuzzing as a Panacea
        1. What Fuzzers Won’t Find
        2. Fuzzer Effectiveness
      2. Fuzzing Tools versus ...
    4. Setting the Plan for Implementing Fuzzers into a Software Development Lifecycle
      1. Setting Goals
        1. Fuzz Who?
        2. Fuzz What?
        3. Fuzz When?
        4. Fuzz How?
          1. Buy, Build or Borrow?
          2. How Long to Run the Fuzzer
          3. Shaking the Bug Tree
          4. Increasing Fuzzer Coverage
      2. Building and Executing on the Plan
        1. Building the Plan
        2. Running the Fuzzer through the Release
        3. Postmortem Analysis
    5. Understanding How to Increase Effectiveness of Fuzzers, and Avoiding Any Big Gotchas
      1. Hidden Costs
        1. Reproducing Bugs
        2. Investigating Bugs
        3. Bad Assumptions
        4. Reports
        5. Software Gotchas
      2. Finding More Vulnerabilities
        1. Increasing Coverage
          1. Generation
          2. Mutation
          3. Smart
          4. Dumb
          5. Where to Focus Time
          6. Code Coverage
          7. Running More than One Fuzzer
        2. Monitoring
    6. Summary
    7. Solutions Fast Track
      1. Why Is Fuzzing Important to Include in a Software Development Cycle?
      2. Setting Expectations for Fuzzers in a Software Development Lifecycle
      3. Setting the Plan for Implementing Fuzzers into a Software Development Lifecycle
      4. Understanding How to Increase Effectiveness of Fuzzers, and Avoiding any Big Gotchas
    8. Frequently Asked Questions
  10. 8. Standardization and Certification
    1. Fuzzing and the Corporate Environment
    2. Software Security Testing, the Challenges
    3. Testing for Security
      1. Historical Studies
      2. Stress Testing
      3. Vulnerability Scanning
      4. Fuzzing as a Viable Option
      5. Business Pressure
        1. Reactive vs. Proactive, and Security as Part of the Business
        2. Saving Costs by Using Fuzzing
        3. Certification by Product
        4. SDL
      6. Software Security Certification
      7. Meeting Standards and Compliance
      8. Tester Certification
      9. Industry Pressure
      10. Antivirus Product Testing and Certification
  11. 9. What Is a File?
    1. Introduction
    2. Are File Fuzzers Special?
    3. Analyzing and Building Files
      1. Textual Files
      2. Binary Files
        1. 010 editor—trial available (www.sweetscape.com/010editor/)
        2. HexProbe—evaluation available (www.hexprobe.com/index.htm)
        3. AXE3—trial available (www.axe-editor.com/)
        4. Tiny Hexer (www.mirkes.de/en/freeware/tinyhex.php)
      3. Running the Test
        1. Interface
        2. Test Flow
        3. iSEC Partners—FileP
        4. iDefense’s FileFuzz
        5. eEye—Integer File Fuzzer (UFuz3)
        6. Gianni’s fuzzer
        7. zzuf
        8. untidy
        9. mangle.c
        10. Frameworks
          1. Fuzzled—Perl Fuzzing Framework
          2. AntiParser
      4. Monitoring the Application with the Test Cases
  12. 10. Code Coverage and Fuzzing
    1. Introduction
    2. Code Coverage
      1. Obtaining Code Coverage
      2. Instrumenting the Binary
      3. Monitoring a Closed Source Application
      4. Improving Fuzzing with Code Coverage
      5. Manual Improvements
      6. Dynamically Generating Code Coverage Improvements
      7. Statically Generating Code Coverage
      8. Weaknesses of Code Coverage
    3. Summary
    4. Solutions Fast Track
      1. Code Coverage
      2. Obtaining Code Coverage
      3. Improving Code Coverage with Fuzzing
      4. Weaknesses of Code Coverage
    5. Frequently Asked Questions