RubyConf: Zed Shaw: Fuzzing

Posted by Nick Sieger Sat, 21 Oct 2006 02:51:38 GMT

What is Fuzzing?

  • Throw random stuff at an app until it breaks, with maliciously crafted inputs. It’s the randomness, stupid.
  • Creating a model for an attack
  • Sampling, survival analysis and mean-time-between-failures (MTBF)

Limitations

  • Shallow -- errors come right away, but then few and far between
  • Not smart
  • Not always needed

Disadvantages

  • Destructive -- don’t do it against your production system!
  • Potentially expensive

Advantages

  • Fun making developers go insane
  • Finds bugs even in closed source software
  • Easy to do when you have the right tools
  • Excellent for regression/load/DDOS/pen testing
  • Large existing base of tools (links from Zed’s site)

Demo/Usage

  • Designed to be a simple data container for all the HTTP objects, so you can easily store and replay requests
  • Randomness engine (RC4 cipher) generates random bytes, numbers, chars, base64, etc.
  • Data collection (ten runs of ten samples, spits out .csv files)
  • Session management (dump cookie management)
  • Rails security test (see also my post on this subject)
  • Chunked encoding test
  • Mongrel test suite -- test GET vs. PUT to see if there is any difference in performance between the two methods

Other Ideas

  • Random ruby scripts from a grammar
  • Automatic random AR fixtures
  • Thrash functions for unit tests
  • Random thrashing of other protocols
  • Release RFuzz’s HTTP client separately as an alternative to net/http
  • Hpricot and RWB inclusion
  • Utu -- HCI research to see if it’s possible to measure how programmers interact

Tags ,  | no comments | no trackbacks

Comments

Leave a response

Trackbacks

Use the following link to trackback from your own site:
http://blog.nicksieger.com/articles/trackback/81