What is Fuzzing?
Intro: What is Fuzzing?
In 2014, Chinese hackers hacked into Community Health Systems, a for-profit US hospital chain, and stole 4.5 million patients’ data. The hackers exploited a bug called Heartbleed that was discovered in the OpenSSL cryptography library some months before the hack.
Heartbleed is an example of a class of attack vectors that allow attackers to access a target by sending in malformed requests valid enough to pass preliminary checks. While professionals who work on different parts of an app do their best to ensure its security, it is impossible to think of all corner cases that could break an app or make it vulnerable during development.
This is where ‘fuzzing’ comes in.
What is a Fuzzing Attack?
Fuzzing, fuzz testing, or a fuzzing attack, is an automated software testing technique used to feed random, unexpected, or invalid data(called fuzz) into a program. The program is monitored for unusual or unexpected behaviors such as buffer overflows, crashes, memory leakages, thread hangs, and read/write access violations. The fuzzing tool or fuzzer is then used to uncover the cause of the unusual behavior.
Fuzzing is based on the assumption that all systems contain bugs waiting to be discovered, and can be given enough time and resources to do so. Most systems have very good parsers or input validation preventing cybercriminals from exploiting any hypothetical bugs in a program. However, as we mentioned above, covering all corner cases during development is difficult.
Fuzzers are used on programs that take in structured input or have some kind of trust boundary. For example, a program that accepts PDF files would have some validation to ensure the file has a .pdf extension and parser to process the PDF file.
An effective fuzzer can generate inputs valid enough to get past these boundaries yet invalid enough to cause unexpected behavior farther down the program. This is important because just being able to get past the validations doesn’t mean much if no further harm is caused.
Fuzzers discover attack vectors very similar to and including the likes of SQL injection, cross-site scripting, buffer overflow, and denial-of-service attacks. All these attacks are a result of feeding unexpected, invalid, or random data into a system.
Types of Fuzzers
Fuzzers can be classified based on some characteristics:
- Attack targets
- Fuzz creation method
- Awareness of input structure
- Awareness of program structure
1. Attack Targets
This classification is based on the kind of platform the fuzzer is being used to test. Fuzzers are commonly used with network protocols and software applications. Each platform has a particular type of input it receives, and thus requires different types of fuzzers.
For example, when dealing with applications, all fuzzing attempts occur at the application’s various input channels, such as the user interface, command-line terminal, forms/text inputs, and file uploads. So all inputs generated by the fuzzer have to match these channels.
Fuzzers dealing with communication protocols have to deal with packets. Fuzzers targeting this platform can generate forged packets, or even act as proxies to modify intercepted packets and replay them.
2. Fuzz Creation Method
Fuzzers can also be classified based on how they create data to fuzz with. Historically, fuzzers created fuzz by generating random data from scratch. This was how Professor Barton Miller, the initiator of this technique, did it initially. This type of fuzzer is called a generation-based fuzzer.
However, while one could theoretically generate data that will bypass a trust boundary, it would take considerable time and resources to do so. Therefore this method is usually used for systems with simple input structures.
A solution to this problem is to mutate data known to be valid to generate data valid enough to pass a trust boundary, yet invalid enough to cause problems. A good example of this is a DNS fuzzer which takes a domain name and then generates a large list of domain names to detect potentially malicious domains targeting the owner of the specified domain.
This approach is smarter than the previous one and significantly narrows the possible permutations. Fuzzers that use this method are called mutation-based fuzzers.
There is a third more recent method that makes use of genetic algorithms to converge on the optimal fuzz data needed to root out vulnerabilities. It works by continually refining its fuzz data, taking into consideration the performance of each test data when fed into a program.
The worst performing sets of data are removed from the data pool, while the best are mutated and/or combined. The new generation of data is then used to fuzz test again. These fuzzers are referred to as evolutionary mutation-based fuzzers.
3. Awareness Of Input Structure
This classification is based on whether a fuzzer is aware of and actively uses the input structure of a program in generating fuzz data. A dumb fuzzer (a fuzzer that is unaware of a program’s input structure) generates fuzz in a mostly random fashion. This could include both generation and mutation-based fuzzers.
Should a fuzzer be provided with the input model of a program, the fuzzer can then try to generate or mutate data such that it matches the provided input model. This approach further reduces the amount of resources spent generating invalid data. Such a fuzzer is called a smart fuzzer.
4. Awareness Of Program Structure
Fuzzers can also be classified based on whether they’re aware of the internal workings of the program they’re fuzzing, and use that awareness to aid fuzz data generation. When fuzzers are used to test a program without understanding its internal structure, it’s called black-box testing.
Fuzz data generated during black-box testing is usually random unless the fuzzer is an evolutionary mutation-based fuzzer, where it ‘learns’ by monitoring the effect of its fuzzing and using that information to refine its fuzz data set.
White-box testing on the other hand uses a model of the program’s internal structure to generate fuzz data. This approach lets a fuzzer get to critical locations in a program and test it.
Popular Fuzzing Tools
There are many fuzzing tools out there used by pen testers. Some of the most popular ones are:
Limitations Of Fuzzing
While Fuzzing is a really useful pen-testing technique, it is not without its faults. Some of these are:
- It takes quite a long time to run.
- Crashes and other unexpected behaviors found during black-box testing of a program can be difficult, if not impossible to analyze or debug.
- Creating mutation templates for smart mutation-based fuzzers can be time-consuming. Sometimes, it may not even be possible due to the input model being proprietary or unknown.
Nevertheless, it is a pretty useful and necessary tool for anyone who wants to discover bugs before the bad guys.
Conclusion
Fuzzing is a powerful pen-testing technique that can be used to uncover vulnerabilities in software. There are many different types of fuzzers, and new fuzzers are being developed all the time. While fuzzing is an incredibly useful tool, it does have its limitations. For example, fuzzers can only find so many vulnerabilities and they can be quite resource intensive. However, if you want to try out this amazing technique for yourself, we have a free DNS Fuzzer API that you can use on our platform.
So what are you waiting for?
