Inprogramming andsoftware development,fuzzing orfuzz testing is an automatedsoftware testing technique that involves providing invalid, unexpected, orrandom data as inputs to acomputer program. The program is then monitored for exceptions such ascrashes, failing built-in codeassertions, or potentialmemory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, such as in afile format orprotocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to exposecorner cases that have not been properly dealt with.
For the purpose of security, input that crosses atrust boundary is often the most useful.[1] For example, it is more important to fuzz code that handles a file uploaded by any user than it is to fuzz the code that parses a configuration file that is accessible only to a privileged user.
The term "fuzz" originates from a 1988 class project[2] in the graduate Advanced Operating Systems class (CS736), taught by Prof. Barton Miller at theUniversity of Wisconsin, whose results were subsequently published in 1990.[3][4] To fuzz test aUNIX utility meant to automatically generate random input and command-line parameters for the utility. The project was designed to test the reliability of UNIX command line programs by executing a large number of random inputs in quick succession until they crashed. Miller's team was able to crash 25 to 33 percent of the utilities that they tested. They then debugged each of the crashes to determine the cause and categorized each detected failure. To allow other researchers to conduct similar experiments with other software, the source code of the tools, the test procedures, and the raw result data were made publicly available.[5] This early fuzzing would now be called black box, generational, unstructured (dumb or "classic") fuzzing.
According to Prof. Barton Miller, "In the process of writing the project description, I needed to give this kind of testing a name. I wanted a name that would evoke the feeling of random, unstructured data. After trying out several ideas, I settled on the term fuzz."[4]
A key contribution of this early work was simple (almost simplistic) oracle. A program failed its test if it crashed or hung under the random input and was considered to have passed otherwise. While test oracles can be challenging to construct, the oracle for this early fuzz testing was simple and universal to apply.
In April 2012, Google announced ClusterFuzz, a cloud-based fuzzing infrastructure for security-critical components of theChromium web browser.[6] Security researchers can upload their own fuzzers and collect bug bounties if ClusterFuzz finds a crash with the uploaded fuzzer.
In September 2014,Shellshock[7] was disclosed as a family ofsecurity bugs in the widely usedUNIXBashshell; most vulnerabilities of Shellshock were found using the fuzzerAFL.[8] (Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash toexecute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.[9])
In April 2015, Hanno Böck showed how the fuzzer AFL could have found the 2014 Heartbleed vulnerability.[10][11] (TheHeartbleed vulnerability was disclosed in April 2014. It is a serious vulnerability that allows adversaries to decipher otherwiseencrypted communication. The vulnerability was accidentally introduced intoOpenSSL which implementsTLS and is used by the majority of the servers on the internet.Shodan reported 238,000 machines still vulnerable in April 2016;[12] 200,000 in January 2017.[13])
In August 2016, theDefense Advanced Research Projects Agency (DARPA) held the finals of the firstCyber Grand Challenge, a fully automatedcapture-the-flag competition that lasted 11 hours.[14] The objective was to develop automatic defense systems that can discover,exploit, andcorrect software flaws inreal-time. Fuzzing was used as an effective offense strategy to discover flaws in the software of the opponents. It showed tremendous potential in the automation of vulnerability detection. The winner was a system called "Mayhem"[15] developed by the team ForAllSecure led byDavid Brumley.
In September 2016, Microsoft announced Project Springfield, a cloud-based fuzz testing service for finding security critical bugs in software.[16]
In December 2016, Google announced OSS-Fuzz which allows for continuous fuzzing of several security-critical open-source projects.[17]
At Black Hat 2018, Christopher Domas demonstrated the use of fuzzing to expose the existence of a hiddenRISC core in a processor.[18] This core was able to bypass existing security checks to executeRing 0 commands from Ring 3.
In September 2020,Microsoft releasedOneFuzz, aself-hosted fuzzing-as-a-service platform that automates the detection ofsoftware bugs.[19] It supportsWindows and Linux.[20] It has been archived three years later on November 1st, 2023.[21]
Testing programs with random inputs dates back to the 1950s when data was still stored onpunched cards.[22] Programmers would use punched cards that were pulled from the trash or card decks of random numbers as input to computer programs. If an execution revealed undesired behavior, abug had been detected.
The execution of random inputs is also calledrandom testing ormonkey testing.
In 1981, Duran and Ntafos formally investigated the effectiveness of testing a program with random inputs.[23][24] While random testing had been widely perceived to be the worst means of testing a program, the authors could show that it is a cost-effective alternative to more systematic testing techniques.
In 1983,Steve Capps at Apple developed "The Monkey",[25] a tool that would generate random inputs forclassic Mac OS applications, such asMacPaint.[26] The figurative "monkey" refers to theinfinite monkey theorem which states that a monkey hitting keys at random on a typewriter keyboard for an infinite amount of time will eventually type out the entire works of Shakespeare. In the case of testing, the monkey would write the particular sequence of inputs that would trigger a crash.
In 1991, the crashme tool was released, which was intended to test the robustness of Unix andUnix-likeoperating systems by randomly executing systems calls with randomly chosen parameters.[27]
A fuzzer can be categorized in several ways:[28][1]
A mutation-based fuzzer leverages an existing corpus of seed inputs during fuzzing. It generates inputs by modifying (or rathermutating) the provided seeds.[29] For example, when fuzzing the image librarylibpng, the user would provide a set of validPNG image files as seeds while a mutation-based fuzzer would modify these seeds to produce semi-valid variants of each seed. The corpus of seed files may contain thousands of potentially similar inputs. Automated seed selection (or test suite reduction) allows users to pick the best seeds in order to maximize the total number of bugs found during a fuzz campaign.[30]
A generation-based fuzzer generates inputs from scratch. For instance, a smart generation-based fuzzer[31] takes the input model that was provided by the user to generate new inputs. Unlike mutation-based fuzzers, a generation-based fuzzer does not depend on the existence or quality of a corpus of seed inputs.
Some fuzzers have the capability to do both, to generate inputs from scratch and to generate inputs by mutation of existing seeds.[32]
Typically, fuzzers are used to generate inputs for programs that take structured inputs, such as afile, a sequence of keyboard or mouseevents, or a sequence ofmessages. This structure distinguishes valid input that is accepted and processed by the program from invalid input that is quickly rejected by the program. What constitutes a valid input may be explicitly specified in an input model. Examples of input models areformal grammars,file formats,GUI-models, andnetwork protocols. Even items not normally considered as input can be fuzzed, such as the contents ofdatabases,shared memory,environment variables or the precise interleaving ofthreads. An effective fuzzer generates semi-valid inputs that are "valid enough" so that they are not directly rejected from theparser and "invalid enough" so that they might stresscorner cases and exercise interesting program behaviours.
A smart (model-based,[32] grammar-based,[31][33] or protocol-based[34]) fuzzer leverages the input model to generate a greater proportion of valid inputs. For instance, if the input can be modelled as anabstract syntax tree, then a smart mutation-based fuzzer[33] would employ randomtransformations to move complete subtrees from one node to another. If the input can be modelled by aformal grammar, a smart generation-based fuzzer[31] would instantiate theproduction rules to generate inputs that are valid with respect to the grammar. However, generally the input model must be explicitly provided, which is difficult to do when the model is proprietary, unknown, or very complex. If a large corpus of valid and invalid inputs is available, agrammar induction technique, such asAngluin's L* algorithm, would be able to generate an input model.[35][36]
A dumb fuzzer[37][38] does not require the input model and can thus be employed to fuzz a wider variety of programs. For instance,AFL is a dumb mutation-based fuzzer that modifies a seed file byflipping random bits, by substituting random bytes with "interesting" values, and by moving or deleting blocks of data. However, a dumb fuzzer might generate a lower proportion of valid inputs and stress theparser code rather than the main components of a program. The disadvantage of dumb fuzzers can be illustrated by means of the construction of a validchecksum for acyclic redundancy check (CRC). A CRC is anerror-detecting code that ensures that theintegrity of the data contained in the input file is preserved duringtransmission. A checksum is computed over the input data and recorded in the file. When the program processes the received file and the recorded checksum does not match the re-computed checksum, then the file is rejected as invalid. Now, a fuzzer that is unaware of the CRC is unlikely to generate the correct checksum. However, there are attempts to identify and re-compute a potential checksum in the mutated input, once a dumb mutation-based fuzzer has modified the protected data.[39]
Typically, a fuzzer is considered more effective if it achieves a higher degree ofcode coverage. The rationale is, if a fuzzer does not exercise certain structural elements in the program, then it is also not able to revealbugs that are hiding in these elements. Some program elements are considered more critical than others. For instance, a division operator might cause adivision by zero error, or asystem call may crash the program.
Ablack-box fuzzer[37][33] treats the program as ablack box and is unaware of internal program structure. For instance, arandom testing tool that generates inputs at random is considered a blackbox fuzzer. Hence, a blackbox fuzzer can execute several hundred inputs per second, can be easily parallelized, and can scale to programs of arbitrary size. However, blackbox fuzzers may only scratch the surface and expose "shallow" bugs. Hence, there are attempts to develop blackbox fuzzers that can incrementally learn about the internal structure (and behavior) of a program during fuzzing by observing the program's output given an input. For instance, LearnLib employsactive learning to generate anautomaton that represents the behavior of a web application.
Awhite-box fuzzer[38][32] leveragesprogram analysis to systematically increasecode coverage or to reach certain critical program locations. For instance, SAGE[40] leveragessymbolic execution to systematically explore different paths in the program (a technique known asconcolic execution).If theprogram's specification is available, a whitebox fuzzer might leverage techniques frommodel-based testing to generate inputs and check the program outputs against the program specification.A whitebox fuzzer can be very effective at exposing bugs that hide deep in the program. However, the time used for analysis (of the program or its specification) can become prohibitive. If the whitebox fuzzer takes relatively too long to generate an input, a blackbox fuzzer will be more efficient.[41] Hence, there are attempts to combine the efficiency of blackbox fuzzers and the effectiveness of whitebox fuzzers.[42]
Agray-box fuzzer leveragesinstrumentation rather than program analysis to glean information about the program. For instance, AFL and libFuzzer utilize lightweight instrumentation to tracebasic block transitions exercised by an input. This leads to a reasonable performance overhead but informs the fuzzer about the increase in code coverage during fuzzing, which makes gray-box fuzzers extremely efficient vulnerability detection tools.[43]
Fuzzing is used mostly as an automated technique to exposevulnerabilities in security-critical programs that might beexploited with malicious intent.[6][16][17] More generally, fuzzing is used to demonstrate the presence of bugs rather than their absence. Running a fuzzing campaign for several weeks without finding a bug does not prove the program correct.[44] After all, the program may still fail for an input that has not been executed, yet; executing a program for all inputs is prohibitively expensive. If the objective is to prove a program correct for all inputs, aformal specification must exist and techniques fromformal methods must be used.
In order to expose bugs, a fuzzer must be able to distinguish expected (normal) from unexpected (buggy) program behavior. However, a machine cannot always distinguish a bug from a feature. In automatedsoftware testing, this is also called thetest oracle problem.[45][46]
Typically, a fuzzer distinguishes between crashing and non-crashing inputs in the absence ofspecifications and to use a simple and objective measure.Crashes can be easily identified and might indicate potential vulnerabilities (e.g.,denial of service orarbitrary code execution). However, the absence of a crash does not indicate the absence of a vulnerability. For instance, a program written inC may or may not crash when an input causes abuffer overflow. Rather the program's behavior isundefined.
To make a fuzzer more sensitive to failures other than crashes, sanitizers can be used to inject assertions that crash the program when a failure is detected.[47][48] There are different sanitizers for different kinds of bugs:
Fuzzing can also be used to detect "differential" bugs if areference implementation is available. For automatedregression testing,[49] the generated inputs are executed on twoversions of the same program. For automateddifferential testing,[50] the generated inputs are executed on two implementations of the same program (e.g.,lighttpd andhttpd are both implementations of a web server). If the two variants produce different output for the same input, then one may be buggy and should be examined more closely.
Static program analysis analyzes a program without actually executing it. This might lead tofalse positives where the tool reports problems with the program that do not actually exist. Fuzzing in combination withdynamic program analysis can be used to try to generate an input that actually witnesses the reported problem.[51]
Modern web browsers undergo extensive fuzzing. TheChromium code ofGoogle Chrome is continuously fuzzed by the Chrome Security Team with 15,000 cores.[52] ForMicrosoft Edge [Legacy] andInternet Explorer,Microsoft performed fuzzed testing with 670 machine-years during product development, generating more than 400 billionDOM manipulations from 1 billion HTML files.[53][52]
A fuzzer produces a large number of inputs in a relatively short time. For instance, in 2016 the Google OSS-fuzz project produced around 4trillion inputs a week.[17] Hence, many fuzzers provide atoolchain that automates otherwise manual and tedious tasks which follow the automated generation of failure-inducing inputs.
Automated bug triage is used to group a large number of failure-inducing inputs byroot cause and to prioritize each individual bug by severity. A fuzzer produces a large number of inputs, and many of the failure-inducing ones may effectively expose the samesoftware bug. Only some of these bugs aresecurity-critical and should bepatched with higher priority. For instance theCERT Coordination Center provides the Linux triage tools which group crashing inputs by the producedstack trace and lists each group according to their probability to beexploitable.[54] The Microsoft Security Research Centre (MSEC) developed the "!exploitable" tool which first creates ahash for a crashing input to determine its uniqueness and then assigns an exploitability rating:[55]
Previously unreported, triaged bugs might be automaticallyreported to abug tracking system. For instance, OSS-Fuzz runs large-scale, long-running fuzzing campaigns for several security-critical software projects where each previously unreported, distinct bug is reported directly to a bug tracker.[17] The OSS-Fuzz bug tracker automatically informs themaintainer of the vulnerable software and checks in regular intervals whether the bug has been fixed in the most recentrevision using the uploaded minimized failure-inducing input.
Automated input minimization (or test case reduction) is an automateddebugging technique to isolate that part of the failure-inducing input that is actually inducing the failure.[56][57] If the failure-inducing input is large and mostly malformed, it might be difficult for a developer to understand what exactly is causing the bug. Given the failure-inducing input, an automated minimization tool would remove as many input bytes as possible while still reproducing the original bug. For instance,Delta Debugging is an automated input minimization technique that employs an extendedbinary search algorithm to find such a minimal input.[58]
![[icon]](/mt/?noimg=&dark=on&url=https%3a%2f%2fen.wikipedia.org%2fwiki%2fFile%3aWiki_letter_w_cropped.svg) | This sectionneeds expansion. You can help byadding to it.(February 2023) |
The following is a list of fuzzers described as "popular", "widely used", or similar in the academic literature.[59][60]
| Name | White/gray/black-box | Smart/dumb | Description | Written in | License |
|---|---|---|---|---|---|
| AFL[61][62] | Gray | Dumb | C | Apache 2.0 | |
| AFL++[63] | Gray | Dumb | C | Apache 2.0 | |
| AFLFast[64] | Gray | Dumb | C | Apache 2.0 | |
| Angora[65] | Gray | Dumb | C++ | Apache 2.0 | |
| honggfuzz[66][67] | Gray | Dumb | C | Apache 2.0 | |
| QSYM[68] | [?] | [?] | [?] | [?] | |
| SymCC[69] | White[70] | [?] | C++ | GPL, LGPL | |
| T-Fuzz[71] | [?] | [?] | [?] | [?] | |
| VUzzer[72] | [?] | [?] | [?] | [?] |
