9 top fuzzing tools: Finding the weirdest application errors

Fuzz testing tools root out odd programming errors that might result in dangerous unexpected application errors that attackers can exploit.

Don’t let the whimsical name fool you. Fuzzing is a serious process that can help uncover critical, unknown and sometimes weird problems affecting today’s modern, complex applications. Good fuzzing tools can often find hidden ways that programs can be exploited long before they are deployed to the public.

How fuzz testing works

Fuzz testing is an automated process that is almost always employed against completed code. This makes it similar to dynamic application security testing (DAST) tools, which also require programs to be fully compiled. However, DAST tools and fuzzing tools look for completely different things. A DAST tool will scan for vulnerabilities, such as the ability for hackers to use an app to make remote procedure calls or for weak protections surrounding exposed HTTP and HTML interfaces. Fuzzing tools, by contrast, provide unexpected input to an application to find out if doing so will generate weird or unintended results.

One of the easiest ways to envision the kinds of problems that fuzzing uncovers is to think of programs like banking or ecommerce apps that are designed to work with known inputs like integers. For example, in banking, let’s say a program is designed to allow users to transfer money from one account to another. Instead of entering a positive value in the amount field to transfer, a user unexpectantly enters a negative number. How does the program handle this? It might put money into the account instead of sending any out. Or it might generate money that doesn’t exist. With an ecommerce program, what happens when someone tries to put millions or even billions of items into their cart? Will that crash the entire site or provide them billions of free items?

If a programmer has been thoughtful and written tight code, most of those business logic flaws will have already been anticipated. But nobody can think of every situation. Unexpected behaviors don’t just happen when users fool around with numbers in the input fields. What if an attacker sends command line functions into an app, encrypted content, operating system commands or raw code in the same language the app is written?

Fuzzing tools can uncover and report on those what-if situations. Some fuzzing tools use random characters and input strings, while others target the most likely problem areas. For example, with integer fields, the most likely culprits for triggering unexpected program behaviors are zeroes, very large numbers and negative values. Still other fuzzing tools examine the program that they are working with and try to provide contextual but unexpected inputs.

In all cases, the best fuzzing tools generate data that is not so far off from the expected input that it will be immediately rejected by the software’s parser as invalid. Instead, they will provide data that has a good chance of being accepted by the program, but which has not been expected by the programmer. Then they will report what behavior that unexpected input triggers in the tested app.

Developers use quite a few open-source fuzzing tools, a few commercial applications and even entire frameworks devoted to fuzzing. The following are top tools developers are using today to fuzz test their applications.

9 top fuzzing tools

  • American Fuzzy LOP
  • Radamsa
  • Honggfuzz
  • Libfuzzer
  • OSS-Fuzz
  • Sulley Fuzzing Framework
  • boofuzz
  • BFuzz
  • PeachTech Peach Fuzzer

American Fuzzy LOP

The American Fuzzy LOP program is designed to be deployed with little effort or configuration. It was built based on a lot of research about how the best fuzzers operate and what results are most useful for testers. It is also designed to minimize the time it takes to compile a query and get results while having minimal system impact wherever it’s installed.

In fact, the developer of American Fuzzy LOP is so confident in the fuzzer’s ability to work without user intervention that there are almost no controls. Users do get a nice, retro-styled interface that shows what the fuzzer is doing and what results it’s finding.

Even though the developer is confident in American Fuzzy LOP’s ability to find useful bugs in tested programs, the tool was also made to be compatible with other fuzzers. It can generate testing data that can be loaded into other, more specialized, labor-intensive fuzz tools if needed. Doing so can potentially increase the efficiency of those tools as well as reduce their runtime.

Radamsa

Radamsa is a frontline fuzzer designed to send sample queries to programs that trigger unexpected results. It achieves a high degree of accuracy because it first ingests sample files of valid data. It then analyzes that data to come up with a fuzzing plan filled with information that is almost, but not quite, what the tested application is expecting.

The biggest selling point of Radamsa is its accuracy. The developer’s page on GitLab has many examples of real-world bugs that the fuzzer has found in popular software. It might take a little bit more effort on the part of a user to generate valid input to feed Radamsa, but if that process results in a bigger haul of realistic, fixable bugs, then it’s time well spent.

Honggfuzz

The Honggfuzz security-oriented fuzzer is optimized and multi-threaded to take advantage of all system resources. Many fuzz tools must run multiple instances to achieve this, but Honggfuzz automatically uses all available CPU cores to rapidly speed up the fuzzing process.

Honggfuzz does not just work with Windows. It can test applications running under Linux, Mac and even Android environments. Because of its ability to work under multiple platforms, Honggfuzz comes with a full directory of examples and test cases that developers can use verbatim, modify for their own needs or simply learn from so they can set up their own fuzz testing regimen.

Likely owing to its ability to fuzz on multiple platforms, the trophy page for Honggfuzz, where fuzz developers show the bugs that their tools have caught, is quite large. According to the developer, it was the only fuzz tool to find a critical vulnerability in OpenSSL that resulted in the issuing of a worldwide security patch.

Libfuzzer

The Libfuzzer tool is in development, with new versions being released every so often. As such, those who use the tool should check to make sure they have the latest version before starting their fuzzing session.

Libfuzzer is designed to be a so-called evolutionary fuzzing tool. How it works is that the tool feeds fuzzed inputs to a specific entry point or input field on the targeted program. It then tracks which other parts of the code are reached based on the tested application’s reaction to the queries. Armed with that new information, Libfuzzer modifies its queries to see if it can penetrate even deeper.

The goal of Libfuzzer is to generate more relevant results compared with what might be revealed by a traditional fuzzing tool. According to the developers, the tool has already seen much success, and continues to be refined for even more accuracy.

OSS-Fuzz

The OSS-Fuzz tool was designed to work with open-source software. The developers wanted to support the open source-community, so OSS-Fuzz was optimized to work with apps and programs deployed that way.

OSS-Fuzz supports open-source programs written in C, C++, Rust and Go, though the developers say it may also work with other languages. They are just not currently supported.

Apparently, the goal of helping the open-source community create more secure applications using OSS-Fuzz has already been quite successful. OSS-Fuzz has found over 14,000 bugs in 200 open-source programs.

Sulley Fuzzing Framework

Named after the fuzzy blue creature from the Monsters Inc. movie, the Sulley Fuzzing Framework is both a fuzzing engine and a testing framework. Unlike most fuzzing engines, Sulley is designed to be able to run seamlessly for days at a time by constantly checking applications for weird responses to fuzzed inputs and then recording those results. It was designed for users who want to activate a fuzzing engine and then go work on something else. When they return hours or days later, Sulley will have reports on everything it found ready to go.

Sulley has several advanced features like the ability to run in parallel, depending on the hardware platform hosting it. It can also automatically determine, without user programming, what unique sequence of test cases will trigger faults.

The Sulley Framework is well known in open-source fuzzing communities, but has not been actively updated in some time. Even so, the latest version, which is available for free on GitHub, is still in active use and performing well.

boofuzz

The boofuzz tool is based on the Sulley Fuzzing Framework. It was named after Boo, the little girl in the Monsters Inc. movie. The boofuzz project began when it was clear that Sulley was no longer being actively updated. It uses the core Sulley code, but also aims to improve it. It installs as a Python library.

Since starting the boofuzz project, the developers have added online documentation, support for more communications mediums, extensible failure detection and an easier-to-use interface. Support for serial fuzzing, ethernet and UDP broadcast was also added as default features. Users of boofuzz can also export their results to a CSV file, so full spreadsheets of all triggered faults can be studied as the first step in fixing detected failures.

Many of the known bugs within Sulley have been eliminated in boofuzz, and the tool is actively updated and available on GitHub.

BFuzz

One of the newest fuzzing tools in active use today, BFuzz is still technically in beta. It’s available for free, and users are asked to report on any problems that they encounter when using the tool so the developers can fix them. With that said, BFuzz already has a small bug trophy case including one uncovered vulnerability that resulted in a patch being issued for Epiphany Web and another involving Mozilla Firefox that triggered a buffer overflow.

BFuzz is designed to be an input-based fuzzer that uses .html and browsers as its input vector. In that sense, it resembles a DAST tool and might be a good fit for organizations that rely heavily on them since BFuzz uses similar testing methods but looks for different kinds of errors.

It’s clear that the developer is really putting a lot of effort into BFuzz, and big things might be in store for this fuzzer. There is even a small YouTube video showing the fuzz tool in action.

PeachTech Peach Fuzzer

The PeachTech Peach Fuzzer is a commercial fuzzing tool where a lot of the legwork for testers has already been done by the PeachTech company. How the Peach Fuzzer works is that you load and configure the fuzzing engine with what the company calls Peach Pits.

Peach Pits are prewritten test definitions that cover a variety of different platforms. PeachTech says that each Pit contains specifications that fit specific targets, such as the structure of the data the target consumes and how the data flows to and from the tested device or application. This allows testers to tightly focus their fuzz testing with very little setup. PeachTech also makes it easy for users to create their own Pits, so that the Peach Fuzzer tool can work with proprietary systems.

Because of the unique ways that the Peach Fuzzer engine can be programmed using Peach Pits, almost no system can’t be fuzzed by the tool. It works with Mac, Windows and Linux, of course. It can also be used to fuzz network protocols, embedded systems, drivers, Internet of Things devices and just about anything else that accepts commands and is thus susceptible to fuzzed inputs.

Copyright © 2019 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations