Anyone working in information security is familiar with software vulnerabilities. Applying patches to software has become a regular part of our work, and is done every time the vendor – or some keen-eyed researcher – discovers yet another vulnerability in the code.
It is, of course, anyone's guess how many vulnerabilities still remain in the code waiting to be discovered, and exploited.
Software quality can be improved by implementing secure coding practices, but practices cannot guarantee that the final run-time code, which may need to access third-party components, will work without flaws necessarily.
Manual creation of test data is a tedious and limited process, and cannot ever hope to address every single possible permutation of events that may occur in a working system.
One solution is to apply the technique of fuzz testing when creating test data. According to an article published in SearchSecurity.co.uk, fuzzing can be used to conduct much more thorough tests, and can overcome many of the problems and limitation associated with traditional system testing.
The article, entitled 'Fuzzing – or how to help computers cope with the unexpected' (see below for .pdf), is one of nine we are publishing in the 2009 series, which features the best new MSc theses from graduates of the information security group at Royal Holloway University of London (RHUL).
Written by Toby Clarke and Jason Crampton, the article makes a string argument for the use of fuzzing tools at all stages of testing. It explains what fuzzing is, how it can be used, and how traditional testing fails to take account of all possible eventualities in a working system. They also explain the limitation of the approach.
This article should be of interest to anyone charged with testing the resilience of new software before implementation. Read Fuzzing—or how to help computers cope with the unexpected (.pdf) by Toby Clarke and Jason Crampton.
SearchSecurity's association with RHUL began last year when we published 12 articles from RHUL's MSc graduates. These were widely appreciated for their new ideas and relevance to security problems. We believe the 2009 series is equally wide-ranging and thought-provoking.
This was first published in June 2009