Nick Sieger: RubyConf: Zed Shaw: Fuzzingtag:blog.nicksieger.com,2005:TypoTypo2007-08-31T16:50:38+00:00Nick Siegerurn:uuid:14460f4d-1fbb-4a14-b91b-7ed22d4e79732006-10-21T02:51:38+00:002007-08-31T16:50:38+00:00RubyConf: Zed Shaw: Fuzzing<h2>What is Fuzzing?</h2>
<ul>
<li>Throw random stuff at an app until it breaks, with maliciously crafted inputs. It’s the randomness, stupid.</li>
<li>Creating a model for an attack</li>
<li>Sampling, survival analysis and mean-time-between-failures (MTBF)</li>
</ul>
<h2>Limitations</h2>
<ul>
<li>Shallow – errors come right away, but then few and far between</li>
<li>Not smart</li>
<li>Not always needed</li>
</ul>
<h2>Disadvantages</h2>
<ul>
<li>Destructive – don’t do it against your production system!</li>
<li>Potentially expensive</li>
</ul>
<h2>Advantages</h2>
<ul>
<li>Fun making developers go insane</li>
<li>Finds bugs even in closed source software</li>
<li>Easy to do when you have the right tools</li>
<li>Excellent for regression/load/DDOS/pen testing</li>
<li>Large existing base of tools (links from Zed’s site)</li>
</ul>
<h2>Demo/Usage</h2>
<ul>
<li>Designed to be a simple data container for all the HTTP objects, so you can easily store and replay requests</li>
<li>Randomness engine (RC4 cipher) generates random bytes, numbers, chars, base64, etc.</li>
<li>Data collection (ten runs of ten samples, spits out .csv files)</li>
<li>Session management (dump cookie management)</li>
<li>Rails security test (see also <a href="/articles/2006/08/15/security-threat-last-week">my post on this subject</a>)</li>
<li>Chunked encoding test</li>
<li>Mongrel test suite – test GET vs. PUT to see if there is any difference in performance between the two methods</li>
</ul>
<h2>Other Ideas</h2>
<ul>
<li>Random ruby scripts from a grammar</li>
<li>Automatic random AR fixtures</li>
<li>Thrash functions for unit tests</li>
<li>Random thrashing of other protocols</li>
<li>Release RFuzz’s HTTP client separately as an alternative to <code>net/http</code></li>
<li>Hpricot and RWB inclusion</li>
<li><a href="http://utu.devjavu.com/">Utu</a> – HCI research to see if it’s possible to measure how programmers interact</li>
</ul>