This page contains a Flash digital edition of a book.
Test security | 25
programming interfaces (APIs) and network interfaces
Input
so as to maximize the likelihood of detecting errors that
Entry
may lead to software vulnerabilities.” The discovery of the
ANI vulnerability[4] in March 2007 had a positive impact
on Microsoft’s adoption of fuzzing and is continuing until
today in areas such as the Microsoft Office suite file
Read request type
format parsing.
The growth of resources on fuzzing is increasing the
Type = 1 Type = 2 Type = 3
adoption of this technique by QA teams. Nowadays there is
a greater understanding of this technique which has proved
very efficient in discovering security issues that could have
been very difficult to identify with white box approaches
such as source code reviews.
Here to stay
Fuzzing is here to stay. It is a technique that has helped
[Insecure memory
researchers, developers and testers to assess the security
[Secure code] [Secure code] allocation] insecure
and robustness of software. It can be applied to any piece
strcpy() call
of software which accepts some form of data, regardless
of its source. It can be a file, a media stream, a network
request, an API function, etc.
In a truly random mutation-based input generation the Fuzzing is a low cost solution compared to other software
fuzzer would only target the vulnerable branch of code testing techniques such as source code reviews and can
1/256 times as the Type byte is mutated. A generation- be integrated into the software development lifecycle.
based approach would implement test cases for each type This process is simpler than before as there has been an
of message and it would certainly reach the vulnerable interesting growth in the number of resources on fuzzing
branch of code. It is difficult to say beforehand which and IT consultancies with understanding of this technique.
approach is going to be better however generation-based
fuzzers provide more completeness and integrate better
into methodical testing practices.
Fuzzing as part of your SDLC
Notes
Although fuzzing was once a technique exclusively used
by security researchers, it is now becoming a vital part of
[1] http://pages.cs.wisc.edu/~bart/fuzz/CS736-Projects-f1988.pdf
company’s software development lifecycle. Microsoft has [2] http://www.w3.org/Protocols/rfc2616/rfc2616.html
adopted fuzzing in its Trustworthy Computing Security
[3] http://msdn.microsoft.com/en-us/library/ms995349.aspx
Development Lifecycle[3] (SDLC) stating: “Apply security-
Rodrigo Marcos
Principal consultant
testing tools including fuzzing tools. Fuzzing supplies
[4] http://www.microsoft.com/technet/security/bulletin/ms07-017.mspx
Secforce
www.secforce.co.uk
structured but invalid inputs to software application
T.E.S.T | June 09 June 09 | T.E.S.T
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com