This page contains a Flash digital edition of a book.
Test security | 23
T
he fuzzing technique applied an FTP client to send requests to it in
to software security is not accordance to the FTP protocol.
a new concept; it has been Fuzzing is a technique whereby an
around for many years. The application is fed malformed input
earliest reference dates back to 1988 data with the aim to detect anomalies
by Professor Barton Miller in his in the processing of unexpected data
Advance Operating System class [1]. entry. Although this process can be
The approach taken by Miller was not applied to a number of software
focussed on security but in generic assurance fields, it is most widely
software robustness testing. used with security vulnerability
Only in the last five years however discovery purposes. The process
has fuzzing become a mainstream is normally approached from a
technique; not only with the black box perspective and it is done
appearance of a wide number of automatically in order to cover large
commercial and open source fuzzing amounts of input primitives.
Although fuzzing
solutions, but also IT security In an ideal world with no time
was once a technique
consultancies offering services to and resource constrains it would
exclusively used by
develop bespoke fuzzers for specific be possible to achieve full code
security researchers,
scenarios. The main reason for this coverage by generating every single
growth is that fuzzing has proved to be potential input that the application
it is now becoming a
a low cost and very effective technique might receive. However, this is not
vital part of company’s
for software testing. only unfeasible but also unnecessary
software development
in most scenarios. For example, if a
lifecycle. Microsoft has
What is fuzzing? piece of software has been designed
Fuzzing is a technique used for to receive a buffer of 256 characters,
adopted fuzzing in its
software testing assurance. In its it is very unlikely that sending strings
Trustworthy Computing
simplest form a piece of software with a length between one and 255
Security Development
receives input data, processes it and would trigger an anomaly. However,
Lifecycle[3] (SDLC)
generates an output. Software data null strings and buffers larger than 256
input can occur in several ways, might lead to some kind of memory
stating: “Apply security-
including: corruption vulnerability. The common
testing tools including
- File approach for input generation is to fuzzing tools. Fuzzing
- User entry focus on boundaries of the specific
supplies structured but
- Network protocol data type.
- API
invalid inputs to software
The input data generally follows an Mutation-based vs
application programming
agreed format. For example, when you generation-based fuzzers interfaces (APIs) and
open Microsoft Word, the application All fuzzers need to generate input and
network interfaces so as
expects a correctly formatted .doc pass it on to the software that needs
to maximize the likelihood
document. Similarly, when you visit a to be tested. There are two ways of
website and load a web page, your web generating the input data:
of detecting errors that
browser expects a correctly formatted Mutation-based input: This approach may lead to software
HTML page. Or when you deploy an takes a valid input as a baseline
vulnerabilities.”
FTP server, the application expects and generates variations of the
T.E.S.T | June 09 June 09 | T.E.S.T
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com