Science Fair Project Encyclopedia
Fuzz testing
Fuzz testing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data. If the program fails, then there are defects to correct.
The great advantage of fuzz testing is that the test design is extemely simple.
| Contents |
Uses
Fuzz testing is often used in large software development projects that perform black box testing. These usually have a budget to develop test tools.
Fuzz testing is also used as a gross measurement of a large software system's quality. The advantage here is that the cost of generating the tests is relatively low. For example, third party testers have used fuzz testing to evaluate the relative merits of different operating systems and application programs.
Fuzz testing is thought to enhance software security because it often finds odd oversights and defects. These are exactly the sorts of defects that most cracking programs use.
Fuzz testing is thought to enhance software safety because it provides evidence that the software can cope with most combinations of inputs.
How to Do It
As a practical matter, developers need to reproduce errors in order to fix them. For this reason, almost all fuzz testing makes a record of the data it manufactures, usually before applying it to the software, so that if the computer fails dramatically, the test data is preserved.
Modern software has several different types of inputs:
- Event driven inputs are usually from a graphical user interface, or possibly from a mechanism in an embedded system.
- Character driven inputs are from files, or data streams.
- Database inputs are from tabular data, such as relational databases.
There are at least two different forms of fuzz testing:
- Valid fuzz attempts to assure that the random input is reasonable, or conforms to actual production data.
- Simple fuzz usually uses a pseudo random number generator to provide input.
Fuzz testing may use tools to simulate all of these domains.
Event Driven Fuzz
Normally this is provided as a queue of datastructures. The queue is fileld with data structures that have random values.
The most common problem with an event-driven program is that it will often simply use the data in the queue, without even crude validation. To succeed in a fuzz-tested environment, software must validate all fields of every queue entry, decode every possible binary value, and then ignore impossible requests.
One of the more interesting issues with real-time event handling is that if error reporting is too verbose, simply providing error status can cause resource problems or a crash. Robust error detection systems will report only the most significant, or most recent error over a period of time.
Character Driven Fuzz
Normally this is provided as a stream of random data. The classic source in UNIX is the random data generator.
One common problem with a character driven program is a buffer overrun, when the character data exceeds the available buffer space. This problem tends to recur in every instance in which a string or number is parsed from the data stream and placed in a limited-size area.
Another is that decode tables or logic may be incomplete, not handling every possible binary value.
Database Fuzz
The standard database scheme is usually filled with fuzz that is random data of random sizes. Some IT shops use software tools to migrate and manipulate such databases. Often the same schema descriptions can be used to automatically generate fuzz databases.
Database fuzz is controversial, because input and comparison constraints reduce the invalid data in a database. However, often the database is more tolerant of odd data than its client software, and a general-purpose interface is available to users. Since major customer and enterprise management software is starting to be open-source, database-based security attacks are becoming more credible.
A common problem with fuzz databases is buffer overrun. A common data dictionary, with some form of automated enforcement is quite helpful and entirely possible. To enforce this, normally all the database clients need to be recompiled and retested at the same time. Another common problem is that database clients may not enderstand the binary possibilities of the database field type, or, legacy software might have been ported to a new database system with different possible binary values. A normal, inexpensive solution is to have each program validate database inputs in the same fashion as user inputs. The normal way to achieve this is to periodically "clean" production databases with automated verifiers.
See also
Links
- University of Wisconsin fuzz testing site includes results of fuzz testing some common software systems.
- Microsoft's Secure Development Process uses fuzz testing to help assure security.
- The Bulletproof Penguin: Fuzz testing of Linux
- Home page of Fuzz, a Linux fuzz-testing utility
The contents of this article is licensed from www.wikipedia.org under the GNU Free Documentation License. Click here to see the transparent copy and copyright details