Fuzzing: Brute Force Vulnerability Discovery,
M. Sutton, A. Greene, and P. Amini
ISBN 0-321-44611-9. Amazon.com $34.64 Bookpool.com $34.50.
Reviewed by Richard Austin, November 15, 2007
Unless you're a security professional who has decided the connected world is a far too dangerous place and have retreated into your sealed bunker with your isolated, cement encased computers, you have heard of the concept of "fuzzing" and its utility in discovering security vulnerabilities. But I suspect most of us have only the basic notion that it somehow involves flooding a piece of software with every possible input and waiting for something unexpected to happen.
Sutton et al. quickly reveal that there is a lot more to be said and give us a fascinating look at how fuzzers work, how to build one and some tantalizing hints at how they could be made much better.
The book opens with a 5-chapter introduction to the process of vulnerability discovery and the place that fuzzing can play within it. The introduction is comprehensive and includes topics ranging from the history of fuzzing, a taxonomy of fuzzer types, thorny issues of data representation and an in-depth review of the requirements for effective fuzzing.
The second part is really the "meat" of the book and after an opening chapter on "Automation and Data Generation," covers the broad topics of fuzzing environment variables and arguments, web applications, file formats, network protocols, web browsers and a very new topic, in-memory fuzzing.
For each major topic, the presentation begins with an introductory chapter that indentifies the targets, the most appropriate fuzzing methods and the types of faults likely to be generated. This introduction is then followed by detailed chapters on how to perform fuzzing on both the Unix and Windows platforms.
The detailed fuzzing presentations are in-depth and often use tools that are available on the book's companion web site. Relevant code is listed with clear explanations, assessment of limitations and suggestions for how the tool could be extended and improved. Often the presentation is illustrated with an example of how a real vulnerability was discovered using the method, and these expositions are an education in and of themselves.
The discussion of in-memory fuzzing is quite interesting as it's a new concept that the authors mention has not yet been implemented in even a public proof-of-concept mode. The core idea is that rather than working through the presentation logic of an application to get the inputs into the application, the fuzzer actually "hooks" into the processing logic directly and supplies the fuzzed inputs. The advantages in speed (e.g., not having to transmit fuzzed inputs over a network link, etc) is at least partially offset by the difficulties aptly summed up in the authors' statement that "in-memory fuzzing is not for the faint of heart."
The third part of the book is devoted to "Advanced Fuzzing Technologies" and covers fuzzing frameworks, automated protocol dissection using "proxy fuzzers" interposed between the client and the server, some cutting edge techniques borrowed from bioinformatics and genetic algorithms, and intelligent fault detection (IOW, better ways to tell when your "fuzzer has done right by doing wrong.")
The final section of the book provides a retrospective that fits fuzzing techniques into the SDLC and a look into the future through examination of some of the commercial fuzzing tools that are becoming available.
This book will appeal first to the hard-core technical security professional, but I think the more management-oriented among us would be ill-served by fleeing back to our spreadsheets at the first glimpse of a code listing. Fuzzers are in the hands of both the good and the bad and it would behoove all of us to understand their potential. The book's introductory chapters and the introductory chapter for each major fuzzing topic are highly recommended for all audiences. As might be said, "You need to read this book - your adversary has."
Before retiring, Richard Austin was the storage network security architect at a Fortune 25 company and currently earns his bread and cheese as an iterant university instructor and security consultant. He welcomes your thoughts and comments at firstname.lastname@example.org