{"id":640509,"date":"2020-03-04T09:28:12","date_gmt":"2020-03-04T17:28:12","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?p=640509"},"modified":"2020-03-04T09:28:12","modified_gmt":"2020-03-04T17:28:12","slug":"a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/research\/blog\/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers\/","title":{"rendered":"A brief introduction to fuzzing and why it\u2019s an important tool for developers"},"content":{"rendered":"
<\/p>\n
In the February 2020 issue of Communications of the ACM<\/a>, Microsoft researcher Patrice Godefroid<\/a> published a new review article<\/a> entitled \u201cFuzzing: Hack, Art, and Science,\u201d which presents an overview of the main automated testing techniques<\/strong> in use today for finding security vulnerabilities<\/strong> in software.<\/p>\n Fuzzing<\/em> means automatic test generation and execution with the goal of finding security vulnerabilities. Over the last two decades, fuzzing has become a mainstay in software security. Thousands of security vulnerabilities in all kinds of software have been found using fuzzing.<\/p>\n At a high level, there are three main types of fuzzing techniques.<\/p>\n Blackbox random fuzzing<\/em> simply randomly mutates well-formed program inputs and then runs the program with those mutated inputs with the hope of triggering bugs. It is a simple hack<\/em>, but it can be remarkably effective in finding bugs in programs that have never been fuzzed.<\/p>\n Grammar-based fuzzing<\/em> is an alternative approach for fuzzing complex formats. With this approach, the user provides an input grammar<\/em> specifying the input format of the application under test. Often, the user also specifies what input parts are to be fuzzed and how. From such an input grammar, a grammar-based \u201cfuzzer\u201d then generates many new inputs, each satisfying the constraints encoded by the grammar. Grammar-based fuzzing extends fuzzing to an art by allowing the user\u2019s creativity and expertise to guide fuzzing. (According to the Oxford English Dictionary, art is \u201cthe expression \u2026 of human creative skill and imagination.\u201d)<\/p>\n The third main approach to fuzzing is whitebox fuzzing<\/em>, which has been pioneered at Microsoft Research (first published in 2008)<\/a>. This approach consists of symbolically executing<\/em> the program under test dynamically and gathering constraints on inputs<\/em> from conditional branches encountered along the execution. All these constraints are then systematically negated one by one and solved with a constraint<\/em> solver<\/em>, whose solutions are mapped to new inputs that exercise different program execution paths. This process is repeated using systematic search techniques that attempt to sweep through all (in practice, many) feasible execution paths of the program. Compared to blackbox random fuzzing, whitebox fuzzing is usually more precise, can exercise more code, and thus discover more bugs<\/a>. Whitebox fuzzing leverages advances in computer science research on program verification and explores how and when fuzzing can be mathematically \u201csound and complete\u201d and can provide verification guarantees.<\/p>\n The advantages and limitations of each of these three main fuzzing techniques are described in detail in Godefroid\u2019s article. Various combinations of these techniques are also discussed.<\/p>\n So in the end, is fuzzing a hack, an art, or a science? Well, in practice, it is a bit of all three, depending on the situation or technique used.<\/p>\n The bottom line is this: If you develop software that may process untrusted inputs (that an attacker could control) and have never used fuzzing, you probably should!<\/p>\n To learn more about fuzzing, this review article<\/a> is a good starting point or, watch this video<\/a> with Microsoft researcher Patrice Godefroid.<\/p>\nWhy should developers add fuzzing to their toolkit?<\/h3>\n
\n