Fuzzing: Brute Force Vulnerability Discovery

Authors: Michael Sutton, Adam Greene, Pedram Amini
Pages: 576
Publisher: Addison-Wesley Professional
ISBN: 0321446119

Introduction

Although fuzzing may sound like a new concept to some, the term is related to a concept that has been around for a couple of decades. It became famous in the past year as a large portion of vulnerabilities in Redmond giant’s software was found this way. Fuzzing is a technique of “breaking stuff” by sending intentionally invalid data to a product in hope of this data generating some error condition.

About the authors

Michael Sutton is the Security Evangelist for SPI Dynamics. He is a frequent speaker at major information security conferences, has authored numerous articles, and is regularly quoted in the media on various information security topics.

Adam Greene is an engineer for a large financial news company and has previously served as an engineer for iDefense. His interests in computer security lie mainly in reliable exploitation methods, fuzzing, and UNIX-based system auditing and exploit development.

Pedram Amini currently leads the security research and product security assessment team at TippingPoint. He spends much of his time in the shoes of a reverse engineer-developing automation tools, plug-ins, and scripts. His most recent projects include the PaiMei reverse engineering framework and the Sulley fuzzing framework.

Inside the book

The opening part of the book provides the readers with a background on fuzzing technologies, its origins and different methods as well as process types. As with the rest of the book, every topic is covered very well, with a number of interesting pieces of information, screenshots, code snippets and a ton of links to useful Web resources.

After the 50 page introduction, we are off to specific fuzzing scenarios related to web applications, file format, network protocols, web browsers and even in-memory testing. Each of these sections addresses situations in which fuzzing comes as a perfect method of finding flaws. I liked the concept of covering these topics as the authors first cut into diverse scenarios, discuss the manual work and afterwards show the best way of automating the processes. Through this approach you will be also introduced to a number of invaluable software tools that can be used through your journey of fuzzing.

While to some the mentioned topics could seem a bit too sophisticated, the authors go even deeper with more technical topics in the latter part of the book where they cover advanced fuzzing technologies. When there is a need for more customization and thorough fuzzing of proprietary and untested protocols – fuzzing frameworks come into the picture. The authors cover a couple of open source frameworks, including SPIKE. This section also hosts a rather interesting case study on custom fuzzing of Shockwave Flash. The rest of this section is all about topics such as intelligent fault detection, fuzzer tracking and automating the process of protocol dissection. The book closes with an overview of the lessons learned and a quick showcase of various commercial tools.

I should also notice that every chapter of the book opens with a George W. Bush quote, which to some will look a bit off, but the authors mention that it is provided as a comic relief and that it will show you that “fuzzing can be applied against a variety of targets, evidently even the English language”.

Final thoughts

The topic of fuzzing is really interesting and I really enjoyed the details this book provided. As you can see from my text above, fuzzing attacks are covered from a very in-depth perspective and as a result I came across new vulnerability testing ideas that I would never think of.

Highly recommended if you are in this line of work, or if you want to stay up-to-date with the latest techniques of doing this kind of blackbox testing.