The document discusses security testing through fuzzing, a technique that involves providing malformed inputs to software to uncover exceptions and vulnerabilities. It highlights the effectiveness of fuzzing in identifying security bugs, its simplicity, and low cost of implementation, including a demonstration of a basic fuzzing tool called Minifuzz. The presentation emphasizes that while fuzzing is useful, it should supplement other testing methods rather than replace them.

1. Security Testing: Fuzzing
Andrei Rubaniuk for
Seattle Code Camp 2012

2. Agenda
• Introduction
• What is Fuzzing?
• Why Fuzz?
• How to Fuzz?
• Fuzzing Demo
• Q&A
© 2012 Andrei Rubaniuk 2

3. Introduction
Who am I?
– Software Engineer in Mobile space since 2005
– Past Projects: SlovoEd (PalmOS), Symbian OS/UIQ,
SCMDM, Zune, Windows Phone 7 and 7.5
© 2012 Andrei Rubaniuk 3

4. Introduction (continued)
What am doing now?
– At Microsoft since October 2008
– Current organization – Windows Phone
• SDL Tools Team
• Helping Windows Phone org to Fuzz their code
© 2012 Andrei Rubaniuk 4

5. What is Fuzzing?
• Testing technique that involves providing
malformed inputs to software
• Fuzzed (attacked) process is monitored for
exceptions, crashes, memory leaks
• Is commonly used to test programs that
receive data from unsafe sources (i.e. e-mail
client, browser, media player)
© 2012 Andrei Rubaniuk 5

6. What is Fuzzing? (continued)
• Attacked process usually has parser (network
protocols, document viewers)
• Especially useful against proprietary software
as it does not require access to source code
• Became widely used in the past 10-15 years
© 2012 Andrei Rubaniuk 6

7. What is Fuzzing? (continued)
• Is not a substitute for other types of testing
(unit tests, BVTs/FVTs, stress, etc.)
• Cannot prove that your code is bug free
• But will increase confidence in the correctness
of your code!
© 2012 Andrei Rubaniuk 7

8. What is Fuzzing? (continued)
• Types of Fuzzing
– Mutational
• Smart – knows/learns about the data it mutates
• Dumb – mutates data with no regard to its format
– Generational
• Allows to define specific data format (i.e. file structure)
© 2012 Andrei Rubaniuk 8

9. Why Fuzz?
• Relatively simple testing technique
• Very effective at finding security bugs (DoS,
Buffer Overflow, etc.)
– Widely used by pentesters and hackers
– Required by Microsoft Secure Development Lifecycle
(SDL)
• Inexpensive to implement
– There are many free and commercial products (from
iDefense, Codenomicon, etc.)
– You can quickly implement your own fuzzer!
• It’s Fun!
© 2012 Andrei Rubaniuk 9

10. How to Fuzz?
• Choose attacked program
• Make sure generated input thoroughly covers
possible input space of attacked program
– To be efficient it should have good code coverage
• Start Fuzzing and be Patient
– Lots of bugs are found only after 100K or even
millions of iterations
– For example, for File Fuzzing Microsoft SDL
requires min 100K iterations
© 2012 Andrei Rubaniuk 10

11. How to Fuzz? (continued)
• Analyze found issues
• Fuzzed data is your repro – open a bug!
• Iterate and be Patient!
© 2012 Andrei Rubaniuk 11

12. Fuzzing Demo: MiniFuzz
• Free basic file fuzzing tool written by
Microsoft SDL Team
• Web:
http://www.microsoft.com/security/sdl/adopt
/tools.aspx
© 2012 Andrei Rubaniuk 12

13. Fuzzing Demo: MiniFuzz (continued)
© 2012 Andrei Rubaniuk 13

14. Fuzzing Demo: fuzzed code
© 2012 Andrei Rubaniuk 14

15. Fuzzing Demo: Actual Demo
© 2012 Andrei Rubaniuk 15

16. Q&A
© 2012 Andrei Rubaniuk 16

17. Follow-up
• Questions? Suggestions? Feedback?
© 2012 Andrei Rubaniuk 17