Every day we see news of a new zero-day being discovered, abused or subsequently patched, these vulnerabilities are not (or are very rarely) discovered by accident, quite the opposite actually.

Security researchers use a combination of tools and workflows to reverse engineer software and discover these vulnerabilities and in this blog post we’ll be taking a look at one commonly used technique — Fuzzing.

What is Fuzzing?

In it’s simplest, boiled down form you can think of fuzzing as; The process of passing random or semi-random data to a target in an automated manner while monitoring the targets output for crashes or any kind of anomalies to be further explored.

As an example, lets say we have an application that takes two simple parameters:

• Name (string)
• ID (integer)

Based on these two theoretical inputs we can ask ourselves a couple of questions:

• What happens if we submit a name with 100 characters or longer?
• What about a name with strange character encoding?
• What about submitting an ID with a value of 0, or -1?
• What about submitting strings instead of an integer for ID?
• What if we submit a valid ID but append some garbage to the end of it?

Sitting and manually generating these inputs would obviously be really time consuming (and painful) for a human to do, so this is where we would use a Fuzzer to generate inputs.

Once our Fuzzer has generated these inputs, they can then be passed to our target application and from there we can keep track of responses from the application and how it behaves to the malformed input.

What is a Fuzzer?

A fuzzer can be broken down into a couple of key components, the sophistication of each of these components can vary a bit:

• Generator — Probably the most important component of a fuzzer, it’s responsible for creating (or generating :) ) what will eventually be inputs that are passed to our fuzzing target, so the generators approach has a massive impact on code coverage and the overall effectiveness of the fuzzer.
• Delivery — The delivery functionality determines how our generator outputs get delivered to our fuzzing target, so for example if we were fuzzing a network based application delivery would be over sockets, or if it was a file based application our delivery method would be file based and so on.
• Monitor — So when our fuzzer is running we need a way to check out how the target application or protocol is handling our fuzzing inputs, when it crashes, if it hangs and such, the monitoring functionality takes care of this along with classifying which types of bugs the fuzzer finds in some cases.

Types of Fuzzing

Mutation-Based

The concept of Mutation based fuzzing is fairly straight forward, we take a syntactically valid input (referred to as a seed) and introduce small changes or mutations to the input, whist keeping the input valid we try to elicit unintended behaviour from the target using our mutations.

The mutations our input can range from just inserting a random character, flipping bits, removing characters, inserting special characters or symbols and so on.

As an example, lets say we have an application that takes the string “I’m a little teapot”.

With mutation based fuzzing in mind we can come up with a lot of mutations for this string:

I’m a little teap0t
’m a little teapot
I’m at little teapot
I’m @ little teapot

Understanding mutation based fuzzing is essential, although the above example is an overview the concept can get very deep, but this is the essence of it.

Generation-Based

Generation based fuzzing differs from mutation based fuzzing in that it doesn’t really require valid example input (seed), the idea is to have the generator create random data/patterns based on the targets input model (read schema).

The inputs generated can range from empty strings, long integers or decimals, negative integers, really long strings or even a mix of all.

Feedback-Based

Feedback based fuzzing involves our fuzzer taking code coverage into account, code coverage is a phrase which essentially means “how much of the underlying code is being executed when we are fuzzing”.

With a Feedback based approach, measuring code coverage allows your generator to create more test cases for a whole array of different potential code paths for the target application, binary or protocol.

Evolutionary-Based

Evolutionary based fuzzing takes the approach of using algorithms (Evolutionary Algorithms) that are based on ‘Survival of the fittest’, so when generating data or test inputs for the target, an evolutionary based fuzzer will normally have some kind of built in scoring system, this scoring system is used to separate the good (strong) test cases from the bad (weak).

Evolutionary based topics can get quite deep and complex especially when ML or AI concepts get rolled into the mix but there are a bunch of great resources which I’ll list at the end of this blog.

Popular Fuzzing Tools

Fuzzing is a massive part of the exploit development process, with all of the talented folks that work in the space it goes without saying that there’s a tonne of amazing tools out there to get stuck into, here is a list of some of the most popular.

American Fuzzy Lop (AFL)

AFL has become quite popular since its release a couple of years ago, built by Michal Zalewski it’s a powerful brute-force based fuzzer paired with a genetic algorithm (evolutionary-based).

It can be run in qemu mode for black-box fuzzing, I really enjoy the crash analysis aspect of AFL, allowing you to pinpoint the where, when and why of each crash — Awesome tool!

Repo: https://github.com/google/AFL

SPIKE

SPIKE is a fuzzer creation toolkit, it provides a high level API and functionality so you can essentially write spike scripts for fuzzing network protocols etc.

This is a really good framework for getting started with building basic fuzzers and understanding base components of a fuzzer.

I’d reccomend spinning up a vulnerable web app or test application, writing a simple spike script to fuzz the app/socket and go from there.

Repo: https://github.com/guilhermeferreira/spikepp/tree/master/SPIKE

Peach Fuzzer

Peach Fuzzer is a cross platform fuzzer that is really good for fuzzing file formats, network protocols and API’s.

When Peach Fuzzer is configured the interface is really intuitive and easy to navigate, the fact that it is cross platform is also a bonus — I’d definitely recommend getting it configured and doing some testing with it.

Repo: https://gitlab.com/peachtech/peach-fuzzer-community

boofuzz

boofuz is a python library that allows you to write custom fuzzers for network protocols, if you like fuzzing and python (and fuzzing with python :D ) this is a tool for you.

Although this is a really good tool if you’re just starting out with fuzzing it might not be a great place to jump in at the beginning, saying that — the documentation is really good.

Repo: https://github.com/jtpereyda/boofuzz

Radamsa

Radamsa is a general purpose fuzzer, the difference between this and the other fuzzers mentioned is that Radamsa is cli based, which is cool in minimalistic terms.

The examples on the Radamsa repo are really good so you could get up and running with this fuzzer in no time, it’s popularity also means there is no shortage of tutorials and blogs.

Repo: https://gitlab.com/akihe/radamsa

zzuf

zzuf is a generic app fuzzer, it works by intercepting network/file operations and flipping bits and corrupting user supplied inputs.

I have not used this fuzzer a lot myself but have read a couple of blogs/tutorials that do mention it so is probably one to try out (I’ll be testing it out soon myself).

Repo: https://github.com/samhocevar/zzuf

The tools listed above happen to be some that are popular, truth is there are an endless number of fuzzers/frameworks out there for you to use when looking for bugs!

Additional Learning Resources

I love teaching myself new concepts and techniques, below is a list of some resources which I found really helpful when learning more about fuzzing, some contain tutorials and guides and others are research papers:

The Fuzzing Project — https://fuzzing-project.org/

The Fuzzing Book — https://www.fuzzingbook.org/

Vuln-Oriented Evolutionary Fuzzing — https://arxiv.org/pdf/1901.01142.pdf

Fuzzing: The State of the Art — https://apps.dtic.mil/sti/pdfs/ADA558209.pdf

Fuzzing Labs — https://www.youtube.com/channel/UCGD1Qt2jgnFRjrfAITGdNfQ

Awesome Fuzzing — https://github.com/secfigo/Awesome-Fuzzing

Vulnserver — https://github.com/stephenbradshaw/vulnserver

epi052 Blog — https://epi052.gitlab.io/notes-to-self/blog/2021-11-01-fuzzing-101-with-libafl/

Hopefully you’ve found some of this information helpful or useful, but in the event you have any questions feel free to reach out and I can try help.

Cheers!