Fuzzing: Understanding the Landscape

Oct 18, 2023

Download: MP4 Video Size: 249.0MB  
Watch on YouTube

Abstract

The number of software vulnerabilities found in modern computing systems has been on the rise for some time now. As more and more software is being developed, software testing is increasingly becoming an important part of the software development cycle, with the goal of rooting out any and all vulnerabilities before public release. However, finding software vulnerabilities is not a trivial task, especially in complex software systems with thousands of lines of code and complicated system interactions. Just a single vulnerability making its way into a software product/service can have devastating consequences, if not discovered and patched in good time.

Luckily, there is a plethora of available software testing tools and techniques. One such software testing approach is called fuzzing. Fuzzing is an automated program testing technique introduced in the late-1980s, and has become a critical tool in a software tester's toolkit. Fuzzing is based on the simple idea of feeding software lots of mutated inputs and monitoring the program state for any anomalous behavior. Fuzzers have had a long and successful track record of finding software vulnerabilities. This success brought forth new and innovative approaches to improve the overall fuzzing process in all aspects. However, despite its success and widespread use, fuzzing is not a "one size fits all" approach. Software testers still have to tailor their fuzzing methodology to the software under test. Therefore, understanding the inner workings of fuzzers is absolutely vital in order to determine when and how to use them most effectively.