What Is Fuzz Testing?

Fuzz testing, or fuzzing, is a method of checking to see how a computer program or system will respond to various, sometimes random, inputs and information. The process involves generating some type of data, either completely random or random within certain constraints, and then feeding that data into the program to test how it handles unexpected information. The most basic form of fuzz testing involves sending a random sequence of key presses or characters to the program and checking that it processes them correctly. A more complex version of fuzz testing uses structured data that is then randomly manipulated and sent to the program. The data can reach the program as system events, keyboard inputs, mock network signals or even as files that are to be loaded.

There are various parts of a computer program that can be tested with a fuzz generator. The graphical user interface (GUI) can be tested by creating a sequence of random mouse and keyboard events and checking that the GUI is able to handle the input without crashing, freezing or performing an unexpected task. Network protocols can be tested by allowing the fuzz generator to randomly change parts of a valid data packet and then ensuring that the protocol can continue to function after receiving malformed data. The basic input elements of nearly any program can be checked for their ability to resist errors, such as input that is far too long for the storage type, input that is of a different type than expected and input that is somehow incomplete or incorrect.

The computer security industry can use fuzz testing to ensure that no obvious security holes exist in certain systems. This can be done by using a fuzz generator designed for testing computer security. These programs will attempt to use system keywords, known default administrator passwords, functions within the libraries the program uses, and random calls to system functions to see how the program will react.

The different types of fuzz testing can be customized to be within certain ranges, or even to test only specific types of input. This means a program could have only valid commands sent to it, but they could be in a nonsensical order. More complex fuzz testing programs exist that can take elements of the target program and manipulate them to produce situations that could be exploited maliciously. This can include changing the order of processes that are spawned, modifications of permissions, or modification of core data and library files.

The end result of fuzz testing is to see if a program is secure and behaves as it should when confronted with an unexpected situation. When used in tandem with profiling and analysis software, it also can detect memory leaks in areas of the program such as error handling, or performance bottlenecks. In cases of computer security, hazardous problems such as overflows that can compromise a system can be caught with the correct setup. Fuzz testing, however, cannot be used as the sole method of software testing and needs to be part of a larger process of quality assurance and software inspection.