How fuzzing works?
Look for attack surface *inputs
Generate fuzzed data for input
Mutated
Generational
Differential
Execute test case
Monitor for exceptions
Determine exploitability
Mutated
take an success test case as sample case, corrupt some parts of it
Pros: easy to check if the test is success, comparable results
Cons: not much results in low coding entropy, since the corrupted data wont cover a lot of code paths
Generational
Generate based on data model.
Pros: more cases to test, more code paths to be covered.
Cons: infinite test cases to each stage of a code path.
Hard to generate vary protocols.
Differential
Any fuzzing algorithm that actively reduces the testing state space
- focused on code path coverage
- adjustment after each round
Pros: automated, limited time, more code coverage testing
Limits: hard to implement
Test case should be considered based on those mechanics
Oblivious
just random input, zero consideration of the system
Block
delimiters, tags for markup languages, meta characters etc
Grammar
custom grammar to generate the format
https://www.darknet.org.uk/2015/07/dharma-generation-based-context-free-grammar-fuzzing-tool/
Template
given templates for given test case
file format / header / frame / packets etc
Heuristic
making
smarter
decisions to reduce test casestry to look for the potiential code path
Instrumentation
Debugger inspection
gdb / strace
Binary inspection
Time complexity - most cases its O(n)