Fuzzy Wuzzy Was a Bear
What is Fuzzing, and why do I need to know?
Fuzzing is the latest vulnerability discovery method to attract widespread attention from researchers and hackers alike. It is essentially the process of forcing an application or software function to accept input that may not be valid, in order to discover vulnerabilities related to input validation. Poor input validation can lead to a number of failures, from simple application crashes through to complete control of vulnerable systems.
One reason why it has attracted increased attention is that it is a fairly simple process to undertake. Increasing numbers of automated tools make vulnerability disclosure a point and click operation. This ease of operation means that some researchers look down on those who appear to do nothing else than point and click their way to vulnerability disclosure (and temporary InfoSec fame). Others have humorously opined that you aren't a real Information Security researcher unless you write your own fuzzing tool.
The rapid rise in web application development and usage, many of which are poorly coded, and increasing levels of networked / multi-user software which has not been designed with security in mind has seen an almost infinite number of opportunities for fuzzing researchers to find holes in critical applications. Tying sensitive personal and financial data to outward facing (Internet-facing) systems is even more incentive for attackers and researchers to find more holes.
Should be a part of testing
A case could be made that a rigorous testing protocol for new code sections should include tests for handling of invalid and semi-valid input, to allow problems to be solved at development time. While standalone sections of code are relatively easy to test for input handling issues, when complex sections of code are linked together, strange input can come from unexpected places. What may pass as valid input for one section of the code might cause handling issues in code that is subsequently passed that input.
Development-time fuzzing helps to make for more secure code, though testing and Quality Assurance are the processes most likely to be overlooked in the march towards code release.
While it is fairly simple to truncate input of excessive length (one case of invalid input), it is harder to develop a whitelist of accepted character input, especially when support for international character sets and punctuation is required. For example, the humble apostrophe is one of the most dangerous characters when it comes to SQL injection opportunities. Content that the user supplies is not the only input that has to be considered - the validity of file data that is supplied should also be considered. If all it takes to wipe a server is a change to a single data file, then someone will find a way to do it.
As long as software is developed which handles input validation poorly, there will continue to be a need for fuzzing tools.
8 April 2006
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.