I am going to present an extended tutorial session on the subject of fuzzing at STeP-IN Security Theme Conference to held on April 16-17, 2009 at Pune. To make it further interesting and useful, I am going to be accompanied by Sethilvel Chidambaram who is a Senior Project Lead at McAfee with a very good experience in the area of anti-virus solutions.

Here is the summary and agenda of the presentation:

FUZZING – Ensuring Software Security through Automated Data Corruption.

Introduction

Fuzzing is about finding possible security issues with software through data corruption. The software in discussion might be a desktop application, a network daemon, an API or anything you could think of. Fuzzing is extensively used by security researchers and large scale product development companies. It has become an essential part of the Security Development Life Cycle in many organizations and is known to find a high percentage of security issues as compared to other techniques.

All in all, fuzzing is a good and easy way to test software for security issues. A software tester can further contribute in the area by brushing up skills on threat modeling for analyzing various input vectors and associated threats, code coverage to check effectiveness of fuzzing tool, core dump analysis to understanding cause of the crashes captured and vulnerability analysis to associate crashes to a possible vulnerability that could be exploited.

Fuzzing should not be thought of as a replacement for other forms of testing. It should be a new form of testing added to the existing tests being conducted.

Pre-Requisites

Beginner-level Software Testing Experience

Who Should Attend?

Anyone with an urge to learn and experiment around security testing

Session Flow

Introduction

• Defining Fuzzing
• Its relevance to testers
• History and Research done so far
• Fuzzing as an automated testing technique
• Existing tools and frameworks

Before we discuss fuzzing

• Generation and Mutation of Data

• Binary Data
  • Packing
  • Little Endian/Big Endian
• Data Formats: Network packets/File formats
• Tools (with demo)
  • Hex Editors
  • Network Package capturing – Ethereal
  • Information gathering – Reconnaissance
    • RegMon
    • FileMon
    • Process explorer
• Which Programming Language is suitable?

Fuzzing Process (TIGEMA)

• Target Identification
• Input Vectors
• Generation
• Execution
• Monitoring
• Analysis

Fuzzing types

• File fuzzing
• Environment variables fuzzing
• Registry fuzzing
• Web Application fuzzing
• Network Application fuzzing
• Browser fuzzing

Fuzz Heuristics

• Common Attack patterns

Demo on Fuzzing tools

• API Fuzzer
• CLS Fuzzer
• Framework: A popular free/open-source fuzzing framework (e.g. Peach)
• Generic File Fuzzer: A popular free/open-source fuzzing tool (e.g. FileFuzz)

Designing a fuzzing Framework/Tool

• Design Snapshot
• Design considerations

Further steps

References and Conclusion

You can find registration and other details on the STeP-IN Forum Security Testing Conference page.

See you at the conference!

Rahul Verma

Site Admin, Testing Perspective