Fuzz - 2.0 - How & mechanics

How fuzzing works?

  1. Look for attack surface *inputs

  2. Generate fuzzed data for input

  3. Mutated

  4. Generational

  5. Differential

  6. Execute test case

  7. Monitor for exceptions

  8. Determine exploitability

Mutated

take an success test case as sample case, corrupt some parts of it

Pros: easy to check if the test is success, comparable results

Cons: not much results in low coding entropy, since the corrupted data wont cover a lot of code paths

Generational

Generate based on data model.

Pros: more cases to test, more code paths to be covered.

Cons: infinite test cases to each stage of a code path.

Hard to generate vary protocols.

Differential

Any fuzzing algorithm that actively reduces the testing state space

  • focused on code path coverage
  • adjustment after each round

Pros: automated, limited time, more code coverage testing

Limits: hard to implement

Test case should be considered based on those mechanics

Time complexity - most cases its O(n)