Fuzzing for Security Testing and Quality Assurance
by Ari Takanen, Jared D. Demott and Charles Miller
Artech House 2008.
ISBN 978-1-59693-214-2 Amazon.com USD63.20
Reviewed by Richard Austin 11/13/08
Fuzzing is attracting a lot of attention these days for the quite practical reason that its purpose "is to find new, previously undetected flaws" (p, 72). Since fuzzing can be used quite effectively with closed-source proprietary software, it's not too surprising that many recent vulnerabilities in widely-deployed software have been discovered through fuzzing.
This book is unique in that it both provides an introduction to fuzzing and also provides solid guidance on how fuzzers should be used in a testing and QA program.
The authors open with an introductory chapter that sets the stage for the remainder of the book by providing a good summary of software security, software quality (and the various types of testing) as well as a whirlwind introduction to fuzzers and fuzzing.
The second chapter is devoted to software vulnerability analysis and covers the common types of security-relevant defects in software (buffer overflows, race conditions and so on) as well as the various types of people (and their motivations) who look for and analyze software vulnerabilities.
Chapter three is devoted to software quality assurance and testing and provides a solid grounding in the general types and purposes of testing. The fourth chapter, "Fuzzing Metrics", is a gem as it tackles a very important point - if you're convinced that fuzzing would be a great benefit to your organization, how can you explain this to management and demonstrate this benefit on an ongoing basis using metrics?
The fifth chapter, "Building and Classifying Fuzzers", delves into the details of the different types of fuzzers and how they work. It provides an excellent roadmap to the fuzzing world and concise descriptions of its major denizens.
Chapter 6 on "Target Monitoring" covers the challenging issue of when a fuzzer finds something, how will you know? The authors take a solid practical approach of describing major vulnerability classes and the likely observable results when a fuzzer uncovers an example.
The seventh chapter on "Advanced fuzzing" examines current research that will shape future generations of fuzzers. Tantalizing glimpses of research prototypes reveal that fuzzing is still an active area with significant advances still "in the pipeline".
Chapter 8, "Fuzzer Comparison", provides solid guidance on how you can compare different types of fuzzers when deciding which is most appropriate for your purposes. Open Source as well as commercial fuzzers are examined under a solid and balanced evaluation framework. The final chapter, "Fuzzing Case Studies", provides a series of walkthroughs in how fuzzing is used in areas ranging firewalls to network devices to SCADA systems.
This book is a welcome addition in the area of fuzzing because it goes beyond the typical items such as "What is a fuzzer?", "What kinds of fuzzers are there?" to offer practical advice on how fuzzers should be used as regular parts of a security testing and software quality assurance program in order to achieve the best results (whether those be eliminating the vulnerabilities before the product ships or identifying the vulnerabilities before the product is deployed in production). The chapter on metrics is especially welcome for demonstrating that this new technology is becoming more and more critical as budgets shrink and come under increasing scrutiny.
This book is a definite "recommended read" for security professionals who have heard something about fuzzing and want to dig deeper to see how it could be used effectively in their own organization.
Before beginning life as an itinerant university instructor and cybersecurity consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rda7838 at Kennesaw dot edu