Fuzzing in cyber security is a method of finding software vulnerabilities by providing unintended input to the target system and monitoring for abnormal results.
Detecting security vulnerabilities in software or computer systems is the main function of fuzzing. The core idea is to input automatically or semi-automatically generated random data into a program and monitor exceptions such as crashes and assertion failures.
Barton Miller of the University of Wisconsin in 1988 first proposed fuzzing. Their work not only uses random and unstructured test data, but also systematically uses a series of tools to analyse various software on different platforms. In addition, they disclosed the source code, testing process, and raw result data.
Fuzzers that modify existing data samples to generate new test data are called mutation-based fuzzers. This is the most straightforward technique, as it starts with an acceptable sample of the protocol and goes on to corrupt every byte or file.
A generative-based fuzzer creates new data from the model's input. It starts from scratch, generating input on demand.
The PROTOCOL-BASED-FUZZER, one of the most successful fuzzers, has comprehensive knowledge of the protocol format being tested. It requires inputting a series of specifications into the tool, adding irregularities to data content, sequences, etc. Grammar testing, robustness testing, and other terms are used to describe this process. The Fuzzer can create test cases from scratch and invalid inputs.
Fuzzing is a type of software engineering used to identify defects in an application. Fuzzing does not ensure that all defects in a program are detected. However, a fuzz approach ensures that the application is resilient and secure, as it helps reveal the most common flaws.