RubyConf: Zed Shaw: Fuzzing
Posted by Nick Sieger Sat, 21 Oct 2006 02:51:38 GMT
What is Fuzzing?
- Throw random stuff at an app until it breaks, with maliciously crafted inputs. It’s the randomness, stupid.
- Creating a model for an attack
- Sampling, survival analysis and mean-time-between-failures (MTBF)
- Shallow -- errors come right away, but then few and far between
- Not smart
- Not always needed
- Destructive -- don’t do it against your production system!
- Potentially expensive
- Fun making developers go insane
- Finds bugs even in closed source software
- Easy to do when you have the right tools
- Excellent for regression/load/DDOS/pen testing
- Large existing base of tools (links from Zed’s site)
- Designed to be a simple data container for all the HTTP objects, so you can easily store and replay requests
- Randomness engine (RC4 cipher) generates random bytes, numbers, chars, base64, etc.
- Data collection (ten runs of ten samples, spits out .csv files)
- Session management (dump cookie management)
- Rails security test (see also my post on this subject)
- Chunked encoding test
- Mongrel test suite -- test GET vs. PUT to see if there is any difference in performance between the two methods
- Random ruby scripts from a grammar
- Automatic random AR fixtures
- Thrash functions for unit tests
- Random thrashing of other protocols
- Release RFuzz’s HTTP client separately as an alternative to
- Hpricot and RWB inclusion
- Utu -- HCI research to see if it’s possible to measure how programmers interact