/* ---- Google Analytics Code Below */

Thursday, January 30, 2020

Fuzzing for Testing Security Vulnerabilities

Of interest from Communications of the ACM:

"Fuzzing: Hack, Art, and Science," by Patrice Godefroid, recommends fuzz testing to detect security vulnerabilities in software. Godefroid describes three core fuzzing techniques in an original video :

Fuzzing: Hack, Art, and Science   By Patrice Godefroid   (Abstract) 
Communications of the ACM, February 2020, Vol. 63 No. 2, Pages 70-76

Fuzzing, or fuzz testing, is the process of finding security vulnerabilities in input-parsing code by repeatedly testing the parser with modified, or fuzzed, inputs.35 Since the early 2000s, fuzzing has become a mainstream practice in assessing software security. Thousands of security vulnerabilities have been found while fuzzing all kinds of software applications for processing documents, images, sounds, videos, network packets, Web pages, among others. These applications must deal with untrusted inputs encoded in complex data formats. For example, the Microsoft Windows operating system supports over 360 file formats and includes millions of 

Most of the code to process such files and packets evolved over the last 20+ years. It is large, complex, and written in C/C++ for performance reasons. If an attacker could trigger a buffer-overflow bug in one of these applications, s/he could corrupt the memory of the application and possibly hijack its execution to run malicious code (elevation-of-privilege attack), or steal internal information (information-disclosure attack), or simply crash the application (denial-of-service attack).9 Such attacks might be launched by tricking the victim into opening a single malicious document, image, or Web page. If you are reading this article on an electronic device, you are using a PDF and JPEG parser in order to see Figure 1. ... " 

No comments: