Fuzzing Flashcards
Define fuzzing and explain its importance in software testing.
Fuzzing is a software testing technique that involves providing random, invalid, or unexpected inputs to a program and observing its behavior. The main goal of fuzzing is to find bugs, crashes, or vulnerabilities that could be exploited by malicious actors. It is important because it can uncover issues that might not be detected by traditional testing methods.
What are the differences between black-box, white-box, and grey-box testing in the context of fuzzing?
Black-box, white-box, and grey-box testing refer to different approaches to fuzzing based on the level of knowledge and access to the source code of the target program. Black-box testing involves no knowledge of the internal workings of the program, white-box testing involves complete knowledge, and grey-box testing involves partial knowledge.
Explain the concept of code coverage and its role in fuzzing.
Code coverage is a metric that measures how much of the program’s logic or code is executed by the test inputs. In fuzzing, higher code coverage means more thorough testing and a higher chance of finding bugs.
What is instrumentation in the context of fuzzing and why is it important?
Instrumentation is a process of adding code or modifying the program to collect information about its execution, such as coverage, crashes, or memory errors. It is important in fuzzing because it provides feedback that guides the generation of new test inputs.
How does artificial intelligence (AI) contribute to the process of fuzzing?
AI contributes to fuzzing by using algorithms or techniques that mimic human intelligence or learning, such as genetic algorithms or evolutionary algorithms, to generate or mutate test inputs. This can lead to more effective exploration of the input space and discovery of bugs.
What are seed files and why are they used in fuzzing?
Seed files are initial test inputs that are valid or representative of the expected input format or structure. They are used to bootstrap the fuzzing process and improve its efficiency by guiding the fuzzer towards interesting areas of the input space.
Explain the concept of mutation in fuzzing and give examples of mutation operations.
Mutation is an operation that modifies or transforms the test inputs to explore different input spaces or scenarios. Examples of mutation operations include bit flips, byte shuffles, and grammar-based or protocol-aware mutations.
What is the LibFuzzer approach to fuzzing and what steps does it involve?
The LibFuzzer approach to fuzzing involves linking the fuzzer with the library under test and feeding fuzzed inputs to the library via a specific fuzz target function. The steps involved are identifying a function as an entry point, instrumenting the library for fuzzing, and writing a fuzz target for the function.
What is the AFL approach to fuzzing and what steps does it involve?
The AFL approach to fuzzing involves repeatedly running a binary and passing it inputs that are mutated over time. The steps involved are checking whether there is a CLI that reads from STDIN or from a file, instrumenting the binary, and running the fuzzer.
What are some criteria for choosing a project for fuzzing?
Criteria for choosing a project for fuzzing include whether the software processes user input or data, such as parsers, generators, converters, encoders, or decoders, and whether it has been fuzzed before or has known vulnerabilities.
How do you prepare a project for fuzzing with LibFuzzer?
Preparing a project for fuzzing with LibFuzzer involves identifying a function as an entry point, instrumenting the library for fuzzing using the appropriate compiler flags or tools, and writing a fuzz target, which is a function that accepts an array of bytes as input and passes it to the target program or library.
How do you run a fuzzer for a project?
Running a fuzzer for a project involves executing the fuzzer executable with the appropriate options, such as input and output directories, and monitoring the fuzzing progress, such as coverage, executions, crashes, or hangs.
What is the role of address sanitizer in fuzzing?
Address sanitizer is an instrumentation and runtime tool that detects memory errors such as buffer overflows and use-after-free. In fuzzing, it helps to discover hidden bugs by making applications crash more easily.
What is a control flow graph and how is it used in fuzzing?
A control flow graph is a data structure that represents the possible paths of execution in a program. In fuzzing, it is used to measure code coverage and guide the generation of new test inputs.
What is the difference between the first fuzzing algorithm and coverage-guided fuzzing?
The first fuzzing algorithm involves generating random inputs and feeding them to the program until it crashes or hangs. Coverage-guided fuzzing, on the other hand, uses feedback from the program’s code coverage to guide the generation of inputs, which can produce more interesting inputs that trigger new code paths and find more bugs.
What is a fuzz target and how do you write one for a function?
A fuzz target is a function that accepts an array of bytes as input and passes it to the target program or library. To write a fuzz target for a function, you need to implement a function that takes an array of bytes as input, converts it to the appropriate format, and passes it to the target function.
