*** Welcome to piglix ***

Fuzzing


Fuzzing or fuzz testing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is a form of random testing commonly used to test for security problems in software or computer systems.

For the purpose of security, input that crosses a trust boundary is often the most interesting. For example, it is more important to fuzz code that handles the upload of a file by any user than it is to fuzz the code that parses a configuration file that is accessible only to a privileged user.

Random input was used in some early testing work, notably in "The Monkey", a classic Mac OS application developed by Steve Capps prior to 1983. It used journaling hooks to feed random events into Mac programs, and was used to test for bugs in MacPaint.

The term "fuzz" or "fuzzing" originates from a 1988 class project, taught by Barton Miller at the University of Wisconsin. The project developed a basic command-line fuzzer to test the reliability of Unix programs by bombarding them with random data until they crashed. This early work includes not only the use of random unstructured testing, but also a systematic set of tools to evaluate a wide variety of software utilities on a variety of platforms, along with a systematic analysis of the kinds of errors that were exposed by this kind of testing. In addition, they provided public access to their tool source code, test procedures and raw result data. The test was repeated in 1995, expanded to include testing of GUI-based tools (such as the X Window System), network protocols, and system library APIs. Follow-on work included testing command- and GUI-based applications on both Windows and Mac OS X.

As is often the case, similar techniques existed long before the name was applied. Jerry Weinberg reports using card decks of random numbers, or cards pulled out of the trash, as input to programs in the 1950s.


...
Wikipedia

...