{"id":640509,"date":"2020-03-04T09:28:12","date_gmt":"2020-03-04T17:28:12","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?p=640509"},"modified":"2020-03-04T09:28:12","modified_gmt":"2020-03-04T17:28:12","slug":"a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/research\/blog\/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers\/","title":{"rendered":"A brief introduction to fuzzing and why it\u2019s an important tool for developers"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-640782 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788.gif\" alt=\"\" width=\"1400\" height=\"788\" \/><\/p>\n<p>In the <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/cacm.acm.org\/magazines\/2020\/2\/242350-fuzzing\/abstract\">February 2020 issue of Communications of the ACM<\/a>, Microsoft researcher <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/people\/pg\/\">Patrice Godefroid<\/a> published <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/patricegodefroid.github.io\/public_psfiles\/Fuzzing-101-CACM2020.pdf\">a new review article<\/a> entitled \u201cFuzzing: Hack, Art, and Science,\u201d which presents an overview of the main <strong>automated testing techniques<\/strong> in use today for finding <strong>security vulnerabilities<\/strong> in software.<\/p>\n<p><em>Fuzzing<\/em> means automatic test generation and execution with the goal of finding security vulnerabilities. Over the last two decades, fuzzing has become a mainstay in software security. Thousands of security vulnerabilities in all kinds of software have been found using fuzzing.<\/p>\n<h3>Why should developers add fuzzing to their toolkit?<\/h3>\n<ul>\n<li>Fuzzing is an effective way to find security bugs in software, so much so that the <a href=\"https:\/\/www.microsoft.com\/en-us\/securityengineering\/sdl\/\">Microsoft Security Development Lifecycle<\/a> requires fuzzing at every untrusted interface of every product.<\/li>\n<li>If you develop software that may process untrusted inputs, you should use fuzzing.<\/li>\n<li>If you are working with standalone applications with large, complex data parsers, fuzzing is very effective.<\/li>\n<li>Fuzzing finds vulnerabilities often missed by static program analysis and manual code inspection.<\/li>\n<\/ul>\n<p>At a high level, there are three main types of fuzzing techniques.<\/p>\n<p><em>Blackbox random fuzzing<\/em> simply randomly mutates well-formed program inputs and then runs the program with those mutated inputs with the hope of triggering bugs. It is a simple <em>hack<\/em>, but it can be remarkably effective in finding bugs in programs that have never been fuzzed.<\/p>\n<p><em>Grammar-based fuzzing<\/em> is an alternative approach for fuzzing complex formats. With this approach, the user provides an <em>input grammar<\/em> specifying the input format of the application under test. Often, the user also specifies what input parts are to be fuzzed and how. From such an input grammar, a grammar-based \u201cfuzzer\u201d then generates many new inputs, each satisfying the constraints encoded by the grammar. Grammar-based fuzzing extends fuzzing to an art by allowing the user\u2019s creativity and expertise to guide fuzzing. (According to the Oxford English Dictionary, art is \u201cthe expression \u2026 of human creative skill and imagination.\u201d)<\/p>\n<p>The third main approach to fuzzing is <em>whitebox fuzzing<\/em>, which has been pioneered at <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/publication\/automated-whitebox-fuzz-testing\/\">Microsoft Research (first published in 2008)<\/a>. This approach consists of <em>symbolically executing<\/em> the program under test dynamically and gathering <em>constraints on inputs<\/em> from conditional branches encountered along the execution. All these constraints are then systematically negated one by one and solved with a <em>constraint<\/em> <em>solver<\/em>, whose solutions are mapped to new inputs that exercise different program execution paths. This process is repeated using systematic search techniques that attempt to sweep through all (in practice, many) feasible execution paths of the program. Compared to blackbox random fuzzing, whitebox fuzzing is usually more precise, can exercise more code, and thus <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/patricegodefroid.github.io\/public_psfiles\/cacm2012.pdf\">discover more bugs<\/a>. Whitebox fuzzing leverages advances in computer science research on program verification and explores how and when fuzzing can be mathematically \u201csound and complete\u201d and can provide verification guarantees.<\/p>\n<p>The advantages and limitations of each of these three main fuzzing techniques are described in detail in Godefroid\u2019s article. Various combinations of these techniques are also discussed.<\/p>\n<p>So in the end, is fuzzing a hack, an art, or a science? Well, in practice, it is a bit of all three, depending on the situation or technique used.<\/p>\n<p>The bottom line is this: If you develop software that may process untrusted inputs (that an attacker could control) and have never used fuzzing, you probably should!<\/p>\n<p>To learn more about fuzzing, this <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fpatricegodefroid.github.io%2Fpublic_psfiles%2FFuzzing-101-CACM2020.pdf&data=02%7C01%7Cv-alhage%40microsoft.com%7Cbbe6f9c90f16430ff36908d7c0603ded%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637189391896233528&sdata=ox0oxHxGbQYbKAz9qkxmSCkA0TgPCUgzj3T5ssP%2Fwg0%3D&reserved=0\">review article<\/a> is a good starting point or, <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D12oEACM5UEU%26feature%3Dyoutu.be&data=02%7C01%7Cv-alhage%40microsoft.com%7Cbbe6f9c90f16430ff36908d7c0603ded%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637189391896233528&sdata=WC17gZmgScZ770muRLxIM7kSMhoTcR4EOj6Owk74PVU%3D&reserved=0\">watch this video<\/a> with Microsoft researcher Patrice Godefroid.<\/p>\n<p>If you want to give it a try and start fuzzing your software, visit and try out <a href=\"https:\/\/www.microsoft.com\/en-us\/security-risk-detection\/\">Microsoft Security Risk Detection<\/a>, the first commercial cloud fuzzing service.<\/p>\n<p>Happy fuzzing!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the February 2020 issue of Communications of the ACM, Microsoft researcher Patrice Godefroid published a new review article entitled \u201cFuzzing: Hack, Art, and Science,\u201d which presents an overview of the main automated testing techniques in use today for finding security vulnerabilities in software. Fuzzing means automatic test generation and execution with the goal of [&hellip;]<\/p>\n","protected":false},"author":38838,"featured_media":640737,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"footnotes":""},"categories":[243750],"tags":[],"research-area":[13558],"msr-region":[],"msr-event-type":[],"msr-locale":[268875],"msr-post-option":[],"msr-impact-theme":[],"msr-promo-type":[],"msr-podcast-series":[],"class_list":["post-640509","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-2","msr-research-area-security-privacy-cryptography","msr-locale-en_us"],"msr_event_details":{"start":"","end":"","location":""},"podcast_url":"","podcast_episode":"","msr_research_lab":[],"msr_impact_theme":[],"related-publications":[],"related-downloads":[],"related-videos":[],"related-academic-programs":[],"related-groups":[],"related-projects":[],"related-events":[],"related-researchers":[],"msr_type":"Post","featured_image_thumbnail":"<img width=\"960\" height=\"540\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-960x540.png\" class=\"img-object-cover\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-960x540.png 960w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-1024x576.png 1024w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-768x432.png 768w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-1536x864.png 1536w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-1066x600.png 1066w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-655x368.png 655w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-343x193.png 343w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-640x360.png 640w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788-1280x720.png 1280w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/MSR_FuzzingBlogHero1400x788.png 1920w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>","byline":"Patrice Godefroid","formattedDate":"March 4, 2020","formattedExcerpt":"In the February 2020 issue of Communications of the ACM, Microsoft researcher Patrice Godefroid published a new review article entitled \u201cFuzzing: Hack, Art, and Science,\u201d which presents an overview of the main automated testing techniques in use today for finding security vulnerabilities in software. Fuzzing&hellip;","locale":{"slug":"en_us","name":"English","native":"","english":"English"},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/640509"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/users\/38838"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/comments?post=640509"}],"version-history":[{"count":9,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/640509\/revisions"}],"predecessor-version":[{"id":642267,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/640509\/revisions\/642267"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media\/640737"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=640509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/categories?post=640509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/tags?post=640509"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=640509"},{"taxonomy":"msr-region","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-region?post=640509"},{"taxonomy":"msr-event-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-event-type?post=640509"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=640509"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=640509"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=640509"},{"taxonomy":"msr-promo-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-promo-type?post=640509"},{"taxonomy":"msr-podcast-series","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-podcast-series?post=640509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}