Fuzzing - It Can Be Good for Finding Evil

Hackers make finding security holes look easy. A new product comes out, and not a week goes by before hackers expose embarrassing, sometimes trivial, security weaknesses in the product. Sometimes it's as if hackers can find those vulnerabilities "at will." In one case security researcher H.D. Moore announced a project he named "a month of browser bugs" where every day during July a new security-related bug was exposed in one of the leading browsers from Microsoft, Apple, and Opera.

How can a single researcher, working in his spare time, find what countless professional software testing people, working full time for the largest software companies in the world, can't find? The secret lies within a methodology called "black box testing," a term that is known in technical circles as "fuzzing".

Fuzzing is a concept that, until recently, has mostly been used on the wrong side of the fence. Fuzzing is a testing technique that automates the search for security vulnerabilities in software without having access to the source code of the application. The lack of source code and other design information is why this testing method is called "black box" testing. It's like looking at a black, opaque box and trying to find holes in it, without having access to the blueprint or design documents.

Most security holes that are published are a result of using home-grown and target-specific fuzzers. These tools have been responsible for discovering many vulnerabilities in the past in products ranging from ZIP archiving software to web servers.

The interesting thing about these discoveries, is the fact that they were made by individuals that were not affiliated with the software vendor in any way, and thus had no special access to the product's source code. In most cases, the discoveries were made when the product was already in the market, resulting in large costs to the software vendors in both bad publicity and the costs of developing and distributing patches to the problem.