Fuzz - 2.0 - How & mechanics

How fuzzing works?

1. Look for attack surface *inputs
2. Generate fuzzed data for input
   1. Mutated
   2. Generational
   3. Differential
3. Execute test case
4. Monitor for exceptions
5. Determine exploitability

Mutated

take an success test case as sample case, corrupt some parts of it
Pros: easy to check if the test is success, comparable results
Cons: not much results in low coding entropy, since the corrupted data wont cover a lot of code paths

Generational

Generate based on data model.
Pros: more cases to test, more code paths to be covered.
Cons: infinite test cases to each stage of a code path.
Hard to generate vary protocols.

Differential

Any fuzzing algorithm that actively reduces the testing state space

• focused on code path coverage
• adjustment after each round
  Pros: automated, limited time, more code coverage testing
  Limits: hard to implement

Test case should be considered based on those mechanics

• Oblivious
  • just random input, zero consideration of the system
• Block
  • delimiters, tags for markup languages, meta characters etc
• Grammar
  • custom grammar to generate the format
  • https://github.com/MozillaSecurity/dharma
  • https://www.darknet.org.uk/2015/07/dharma-generation-based-context-free-grammar-fuzzing-tool/
• Template
  • given templates for given test case
  • file format / header / frame / packets etc
• Heuristic
  • making smarter decisions to reduce test cases
  • try to look for the potiential code path
• Instrumentation
  • Debugger inspection
    • gdb / strace
  • Binary inspection

Time complexity - most cases its O(n)