SlideShare a Scribd company logo
Fuzz Testing

Atul S. Khot (atul.khot@gmail.com)
VodQA ThoughtWorks Pune - 2013
Random behavior aka Insanity


Testing the “drink maker”



lemon juice + milk + tea leaves + (black?) salt



Rather a fuzzy drink ;-)





We human beings are somewhat “conditioned” - computers
aren't
And that is good!!!
Of talking gibberish


Try throwing senseless data at your system



And see what is uncovered







Hangs/infinite loops/exceptions/Deadlocks/race conditions whatever ;-)
Better let the computer go insane (it is all raring to go...)
And no call to recall your initial C days... Pointers going
haywire? Etc...
Is tommath right?




How do I test tommath gets its arithmetic right?
Generate random numbers – next generate artihmetic
expressions (*,/,+,-)



Run the expressions throught tommath



Run the expressions through gnu bc





Compare – 30 million – different expressions – over 4 days You get a fair good idea
All gory details in my Linux For You article
Uncovering performance
bottlenecks










A campaign manager – customer needs to send a text sms to
16 million cell numbers
Cannot test – as one run would cost $35000/Decouple (very handy techique) – instead of sending to real
webservice – send it to a mock
Shell scripts run in parallel – you can spawn many thousand
parallel processes easily...
Each process is a simple socket client – sending a mobile
number – and the message
The surprise is revealed


Our algorithms were right



No big deadlocks



For this huge run – profiler indicated log4j as the culprit



Log4j's writing to a log file – was a bottleneck





Solution - use an Async appender – Events are logged
asynchronously
Nobody thought log4j as a possible suspect ;-)
Ideas galore








Needed to test a complex tree manipulation algorithm written
in TCL
I coded the algorithm – to test I needed very big trees
Directories – Perl slicing and dicing – C++ boost library (open
source) – Files correspond to leaves in the tree
Directories are essentially random trees –
Bugs surface...


Revealed a bug - we needed to make some regex greedier



Was a corner case



Hard to see how we could have come upon it with manual
testing



A TCL expert from Norway carefully reviewed



Okayed – big moment ;-)
Platypus – (http://platypus.pz.org/)


It is just (?) simplified Latex



Elaborate parser



Fuzz unleashed



Produced a hang



Deemed low priority –



Will eventually get addressed
Platypus – (http://platypus.pz.org/)


It is just (?) simplified Latex



Elaborate parser



Fuzz unleashed



Produced a hang



Deemed low priority –



Will eventually get addressed

More Related Content

Similar to Fuzz Testing-Atul Khot

What Your Tech Lead Thinks You Know (But Didn't Teach You)
What Your Tech Lead Thinks You Know (But Didn't Teach You)What Your Tech Lead Thinks You Know (But Didn't Teach You)
What Your Tech Lead Thinks You Know (But Didn't Teach You)
Chris Riccomini
 
Why I Love Python
Why I Love PythonWhy I Love Python
Why I Love Python
didip
 
Code quality; patch quality
Code quality; patch qualityCode quality; patch quality
Code quality; patch quality
dn
 
Code quality. Patch quality
Code quality. Patch qualityCode quality. Patch quality
Code quality. Patch quality
malcolmt
 
Data analysis with pandas
Data analysis with pandasData analysis with pandas
Data analysis with pandas
Outreach Digital
 
Data Analysis With Pandas
Data Analysis With PandasData Analysis With Pandas
Data Analysis With Pandas
Stephan Solomonidis
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer games
Maciej Siniło
 
2010 za con_roelof_temmingh
2010 za con_roelof_temmingh2010 za con_roelof_temmingh
2010 za con_roelof_temminghJohan Klerk
 
A living hell - lessons learned in eight years of parsing real estate data
A living hell - lessons learned in eight years of parsing real estate data  A living hell - lessons learned in eight years of parsing real estate data
A living hell - lessons learned in eight years of parsing real estate data
lokku
 
Preventing Complexity in Game Programming
Preventing Complexity in Game ProgrammingPreventing Complexity in Game Programming
Preventing Complexity in Game Programming
Yaser Zhian
 
Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2
ice799
 
Codebits Handivi
Codebits HandiviCodebits Handivi
Codebits Handivi
cfpinto
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
Log Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisLog Mining: Beyond Log Analysis
Log Mining: Beyond Log Analysis
Anton Chuvakin
 
HCI 3e - Ch 18: Modelling rich interaction
HCI 3e - Ch 18:  Modelling rich interactionHCI 3e - Ch 18:  Modelling rich interaction
HCI 3e - Ch 18: Modelling rich interaction
Alan Dix
 
How my visualization tools use little memory: A tale of incrementalization an...
How my visualization tools use little memory: A tale of incrementalization an...How my visualization tools use little memory: A tale of incrementalization an...
How my visualization tools use little memory: A tale of incrementalization an...Eugene Kirpichov
 
An Introduction to Machine Learning
An Introduction to Machine LearningAn Introduction to Machine Learning
An Introduction to Machine Learning
Angelo Simone Scotto
 
Effective Techniques for Support Teams.pptx
Effective Techniques for Support Teams.pptxEffective Techniques for Support Teams.pptx
Effective Techniques for Support Teams.pptx
Vikas Prabhu
 
Dmitry Lebedev: Agile Testing Using Agile Tools
Dmitry Lebedev: Agile Testing Using Agile ToolsDmitry Lebedev: Agile Testing Using Agile Tools
Dmitry Lebedev: Agile Testing Using Agile ToolsAgile Lietuva
 

Similar to Fuzz Testing-Atul Khot (20)

What Your Tech Lead Thinks You Know (But Didn't Teach You)
What Your Tech Lead Thinks You Know (But Didn't Teach You)What Your Tech Lead Thinks You Know (But Didn't Teach You)
What Your Tech Lead Thinks You Know (But Didn't Teach You)
 
Why I Love Python
Why I Love PythonWhy I Love Python
Why I Love Python
 
Code quality; patch quality
Code quality; patch qualityCode quality; patch quality
Code quality; patch quality
 
Code quality. Patch quality
Code quality. Patch qualityCode quality. Patch quality
Code quality. Patch quality
 
Data analysis with pandas
Data analysis with pandasData analysis with pandas
Data analysis with pandas
 
Data Analysis With Pandas
Data Analysis With PandasData Analysis With Pandas
Data Analysis With Pandas
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer games
 
2010 za con_roelof_temmingh
2010 za con_roelof_temmingh2010 za con_roelof_temmingh
2010 za con_roelof_temmingh
 
A living hell - lessons learned in eight years of parsing real estate data
A living hell - lessons learned in eight years of parsing real estate data  A living hell - lessons learned in eight years of parsing real estate data
A living hell - lessons learned in eight years of parsing real estate data
 
Preventing Complexity in Game Programming
Preventing Complexity in Game ProgrammingPreventing Complexity in Game Programming
Preventing Complexity in Game Programming
 
Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2
 
2014 pycon-talk
2014 pycon-talk2014 pycon-talk
2014 pycon-talk
 
Codebits Handivi
Codebits HandiviCodebits Handivi
Codebits Handivi
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
Log Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisLog Mining: Beyond Log Analysis
Log Mining: Beyond Log Analysis
 
HCI 3e - Ch 18: Modelling rich interaction
HCI 3e - Ch 18:  Modelling rich interactionHCI 3e - Ch 18:  Modelling rich interaction
HCI 3e - Ch 18: Modelling rich interaction
 
How my visualization tools use little memory: A tale of incrementalization an...
How my visualization tools use little memory: A tale of incrementalization an...How my visualization tools use little memory: A tale of incrementalization an...
How my visualization tools use little memory: A tale of incrementalization an...
 
An Introduction to Machine Learning
An Introduction to Machine LearningAn Introduction to Machine Learning
An Introduction to Machine Learning
 
Effective Techniques for Support Teams.pptx
Effective Techniques for Support Teams.pptxEffective Techniques for Support Teams.pptx
Effective Techniques for Support Teams.pptx
 
Dmitry Lebedev: Agile Testing Using Agile Tools
Dmitry Lebedev: Agile Testing Using Agile ToolsDmitry Lebedev: Agile Testing Using Agile Tools
Dmitry Lebedev: Agile Testing Using Agile Tools
 

More from bhumika2108

User Story Mapping - WHY and HOW, a handson workshop
User Story Mapping - WHY and HOW, a handson workshopUser Story Mapping - WHY and HOW, a handson workshop
User Story Mapping - WHY and HOW, a handson workshop
bhumika2108
 
Saying no to selenium tests
Saying no to selenium testsSaying no to selenium tests
Saying no to selenium tests
bhumika2108
 
123 automation framework
123 automation framework123 automation framework
123 automation framework
bhumika2108
 
Where do my tests belong?
Where do my tests belong?Where do my tests belong?
Where do my tests belong?
bhumika2108
 
Wearables & testing
Wearables & testingWearables & testing
Wearables & testing
bhumika2108
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Did you check the UX Quality?-Rajarshi Ray
Did you check the UX Quality?-Rajarshi RayDid you check the UX Quality?-Rajarshi Ray
Did you check the UX Quality?-Rajarshi Raybhumika2108
 
QAing INFRASTRUCTURE- A QA's role in the DevOps World-Aroj P George & Harshad...
QAing INFRASTRUCTURE- A QA's role in the DevOps World-Aroj P George & Harshad...QAing INFRASTRUCTURE- A QA's role in the DevOps World-Aroj P George & Harshad...
QAing INFRASTRUCTURE- A QA's role in the DevOps World-Aroj P George & Harshad...bhumika2108
 
Why did we delete our regression suite? Deepak Parmasivam & Sneha Vijayaraghavan
Why did we delete our regression suite? Deepak Parmasivam & Sneha VijayaraghavanWhy did we delete our regression suite? Deepak Parmasivam & Sneha Vijayaraghavan
Why did we delete our regression suite? Deepak Parmasivam & Sneha Vijayaraghavanbhumika2108
 
Why do cars need to have the right breaking system -Shalabh Varma & Manisha A...
Why do cars need to have the right breaking system -Shalabh Varma & Manisha A...Why do cars need to have the right breaking system -Shalabh Varma & Manisha A...
Why do cars need to have the right breaking system -Shalabh Varma & Manisha A...bhumika2108
 
Why test automation promises more and delivers less - Deepak Koul
Why test automation promises more and delivers less - Deepak KoulWhy test automation promises more and delivers less - Deepak Koul
Why test automation promises more and delivers less - Deepak Koulbhumika2108
 
Accessibility testing-Gyani and Siddhanth
Accessibility testing-Gyani and SiddhanthAccessibility testing-Gyani and Siddhanth
Accessibility testing-Gyani and Siddhanthbhumika2108
 
Why every Tester should also aspire to be a Developer on his project!-Sandee...
Why every Tester should  also aspire to be a Developer on his project!-Sandee...Why every Tester should  also aspire to be a Developer on his project!-Sandee...
Why every Tester should also aspire to be a Developer on his project!-Sandee...bhumika2108
 
Real time trend and failure analysis using TTA-Anand Bagmar & Aasawaree Deshmukh
Real time trend and failure analysis using TTA-Anand Bagmar & Aasawaree DeshmukhReal time trend and failure analysis using TTA-Anand Bagmar & Aasawaree Deshmukh
Real time trend and failure analysis using TTA-Anand Bagmar & Aasawaree Deshmukhbhumika2108
 
Web android automation-Darshan Padmawar
Web android automation-Darshan PadmawarWeb android automation-Darshan Padmawar
Web android automation-Darshan Padmawarbhumika2108
 
Whats accessibility
Whats accessibilityWhats accessibility
Whats accessibility
bhumika2108
 
Add ons for software testers
Add ons for software testersAdd ons for software testers
Add ons for software testers
bhumika2108
 
Relate UI automation & performance
Relate UI automation & performanceRelate UI automation & performance
Relate UI automation & performance
bhumika2108
 
Automated infrastructure testing - by Ranjib Dey
Automated infrastructure testing - by Ranjib DeyAutomated infrastructure testing - by Ranjib Dey
Automated infrastructure testing - by Ranjib Dey
bhumika2108
 

More from bhumika2108 (19)

User Story Mapping - WHY and HOW, a handson workshop
User Story Mapping - WHY and HOW, a handson workshopUser Story Mapping - WHY and HOW, a handson workshop
User Story Mapping - WHY and HOW, a handson workshop
 
Saying no to selenium tests
Saying no to selenium testsSaying no to selenium tests
Saying no to selenium tests
 
123 automation framework
123 automation framework123 automation framework
123 automation framework
 
Where do my tests belong?
Where do my tests belong?Where do my tests belong?
Where do my tests belong?
 
Wearables & testing
Wearables & testingWearables & testing
Wearables & testing
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Did you check the UX Quality?-Rajarshi Ray
Did you check the UX Quality?-Rajarshi RayDid you check the UX Quality?-Rajarshi Ray
Did you check the UX Quality?-Rajarshi Ray
 
QAing INFRASTRUCTURE- A QA's role in the DevOps World-Aroj P George & Harshad...
QAing INFRASTRUCTURE- A QA's role in the DevOps World-Aroj P George & Harshad...QAing INFRASTRUCTURE- A QA's role in the DevOps World-Aroj P George & Harshad...
QAing INFRASTRUCTURE- A QA's role in the DevOps World-Aroj P George & Harshad...
 
Why did we delete our regression suite? Deepak Parmasivam & Sneha Vijayaraghavan
Why did we delete our regression suite? Deepak Parmasivam & Sneha VijayaraghavanWhy did we delete our regression suite? Deepak Parmasivam & Sneha Vijayaraghavan
Why did we delete our regression suite? Deepak Parmasivam & Sneha Vijayaraghavan
 
Why do cars need to have the right breaking system -Shalabh Varma & Manisha A...
Why do cars need to have the right breaking system -Shalabh Varma & Manisha A...Why do cars need to have the right breaking system -Shalabh Varma & Manisha A...
Why do cars need to have the right breaking system -Shalabh Varma & Manisha A...
 
Why test automation promises more and delivers less - Deepak Koul
Why test automation promises more and delivers less - Deepak KoulWhy test automation promises more and delivers less - Deepak Koul
Why test automation promises more and delivers less - Deepak Koul
 
Accessibility testing-Gyani and Siddhanth
Accessibility testing-Gyani and SiddhanthAccessibility testing-Gyani and Siddhanth
Accessibility testing-Gyani and Siddhanth
 
Why every Tester should also aspire to be a Developer on his project!-Sandee...
Why every Tester should  also aspire to be a Developer on his project!-Sandee...Why every Tester should  also aspire to be a Developer on his project!-Sandee...
Why every Tester should also aspire to be a Developer on his project!-Sandee...
 
Real time trend and failure analysis using TTA-Anand Bagmar & Aasawaree Deshmukh
Real time trend and failure analysis using TTA-Anand Bagmar & Aasawaree DeshmukhReal time trend and failure analysis using TTA-Anand Bagmar & Aasawaree Deshmukh
Real time trend and failure analysis using TTA-Anand Bagmar & Aasawaree Deshmukh
 
Web android automation-Darshan Padmawar
Web android automation-Darshan PadmawarWeb android automation-Darshan Padmawar
Web android automation-Darshan Padmawar
 
Whats accessibility
Whats accessibilityWhats accessibility
Whats accessibility
 
Add ons for software testers
Add ons for software testersAdd ons for software testers
Add ons for software testers
 
Relate UI automation & performance
Relate UI automation & performanceRelate UI automation & performance
Relate UI automation & performance
 
Automated infrastructure testing - by Ranjib Dey
Automated infrastructure testing - by Ranjib DeyAutomated infrastructure testing - by Ranjib Dey
Automated infrastructure testing - by Ranjib Dey
 

Recently uploaded

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 

Recently uploaded (20)

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 

Fuzz Testing-Atul Khot

  • 1. Fuzz Testing Atul S. Khot (atul.khot@gmail.com) VodQA ThoughtWorks Pune - 2013
  • 2. Random behavior aka Insanity  Testing the “drink maker”  lemon juice + milk + tea leaves + (black?) salt  Rather a fuzzy drink ;-)   We human beings are somewhat “conditioned” - computers aren't And that is good!!!
  • 3. Of talking gibberish  Try throwing senseless data at your system  And see what is uncovered    Hangs/infinite loops/exceptions/Deadlocks/race conditions whatever ;-) Better let the computer go insane (it is all raring to go...) And no call to recall your initial C days... Pointers going haywire? Etc...
  • 4. Is tommath right?   How do I test tommath gets its arithmetic right? Generate random numbers – next generate artihmetic expressions (*,/,+,-)  Run the expressions throught tommath  Run the expressions through gnu bc   Compare – 30 million – different expressions – over 4 days You get a fair good idea All gory details in my Linux For You article
  • 5. Uncovering performance bottlenecks      A campaign manager – customer needs to send a text sms to 16 million cell numbers Cannot test – as one run would cost $35000/Decouple (very handy techique) – instead of sending to real webservice – send it to a mock Shell scripts run in parallel – you can spawn many thousand parallel processes easily... Each process is a simple socket client – sending a mobile number – and the message
  • 6. The surprise is revealed  Our algorithms were right  No big deadlocks  For this huge run – profiler indicated log4j as the culprit  Log4j's writing to a log file – was a bottleneck   Solution - use an Async appender – Events are logged asynchronously Nobody thought log4j as a possible suspect ;-)
  • 7. Ideas galore     Needed to test a complex tree manipulation algorithm written in TCL I coded the algorithm – to test I needed very big trees Directories – Perl slicing and dicing – C++ boost library (open source) – Files correspond to leaves in the tree Directories are essentially random trees –
  • 8. Bugs surface...  Revealed a bug - we needed to make some regex greedier  Was a corner case  Hard to see how we could have come upon it with manual testing  A TCL expert from Norway carefully reviewed  Okayed – big moment ;-)
  • 9. Platypus – (http://platypus.pz.org/)  It is just (?) simplified Latex  Elaborate parser  Fuzz unleashed  Produced a hang  Deemed low priority –  Will eventually get addressed
  • 10. Platypus – (http://platypus.pz.org/)  It is just (?) simplified Latex  Elaborate parser  Fuzz unleashed  Produced a hang  Deemed low priority –  Will eventually get addressed