Chapter 17. The Art of Fuzzing

Fuzzing is a term that encapsulates the activity that surrounds the discovery of most security bugs found. Although university-level academic research focuses on "provable" security techniques, most in-the-field security researchers tend to focus on techniques that generate results quickly and efficiently. This chapter examines the tools and methodologies behind finding exploitable bugs—something of great interest, no doubt, following the information in the previous chapters. Keep in mind, however, that for all the research into vulnerability analysis that has been done, the vast majority of security vulnerabilities are still found by luck. This chapter teaches you how to get lucky.

General Theory of Fuzzing

One method of fuzzing involves the technique of fault injection (we have dedicated all of Chapter 16 to fault injection). In the software security world, fault injection usually involves sending bad data into an application by means of directly manipulating various API calls within it, usually with some form of debugger or library call interceptor. For example, you could randomly make the free() call return NULL (meaning failure), or have every getenv() call return a long string. Most papers and books on the subject talk about instrumenting the executable and then injecting hypothesized anomalies into it. Basically, they make free() return zero and then use Venn Diagrams to discuss the statistical value of this event. The whole process makes more ...

Get The Shellcoder's Handbook: Discovering and Exploiting Security Holes, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.