Karten 11 Karten
Lernende 0 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 25.06.2019 / 25.06.2019
Lizenzierung Keine Angabe
0 Exakte Antworten 11 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen

What is fuzzing?

"Finding bugs by bombarding target with nonconform data"

Think: Flip a few bits in a PDF, then start Acrobat with that PDF

Just mor automated

Fenster schliessen

What is a fuzzer?


A program which generates new "random" inputs, and feeds it to the target program.


Fenster schliessen

What 3 types of fuzzing are there?

Types of Fuzzing:

  • Mutation based
  • Grammar based
  • Feedback based
Fenster schliessen

What is mutation based fuzzing and what steps are involved?

Mutation based fuzzing:

Take an input file, modify it a bit, continue



  • Create input corpus
  • Select an input
  • Modify input file ("fuzz it")
  • Start program with input file
  • Identify crashes
Fenster schliessen

What is grammar based fuzzing?

Grammar based fuzzing

used for: eg. javaScript, HTML, FTP, HTTP, ...

Cannot just flip bits etc, as it is not a binary protocol

alert(1); -> is valid

alfrt(1); -> is garbage


  • Create a random input file based on grammar
  • Start program wiht input file
  • Identify crashes


Fenster schliessen

What is the problem with traditional fuzzing?

Tarditional fuzzing  - dumb, inefficient, brute force

Fenster schliessen

What is feedback based fuzzing

Lizenzierung: Keine Angabe

Example of Feedback Fuzzer:

AFL (American Fuzzy Lop): employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the target binary.

Concept of feedback based Fuzzing:

  • "Observe: the program to see if a new input (mutated from corpus) reaches new code path
    • This is being done by adding code in the compile process which tracks which functions get called in what order.
Fenster schliessen

What are the problems with fuzzing?

  • "Bit flips" only get you this far
  • AFL:
    • Sequential bit flips with varying lengths and stepovers,
    • Sequential addition and subtraction of small integers,
    • Seguential insertion of known intersting integer (0, 1, INT_MAX, UNIT_MAX, 127, 129, etc...)
    • With deterministic fuzzing out of the way, the non-deterministic steps includ:
      • stacked bit flips, insertions, deletions, arithmetics, and splicing of different test cases.
  • Low Probability of catching:
    • if a == 0x31337
    • if a == "CONNECT"