Fuzz Testing
最近有些人在問fuzz testing是什麼, 再加上剛好有memeber正在做這樣的測試, 並且分享Fuzz testing是什麼以及怎麼做. 所以我就花了一些時間把他們的東西整理一下.(感謝Chris Chen的study)
首先先看一下Fuzz Testing的定義, 這是從Wiki上找到的
Fuzz testing, fuzzing, Robustness Testing or Negative Testing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted.
這裡我們舉一個例子, 看看怎麼用它在測試CGI的程式:
例如正常的Http request是這樣:
HTTP://ABCSystem/webapp/Commoncig/ccgiservlet?uid=chris&group=work
在做Fuzzy testing時我們會這樣
HTTP://ABCSystem/webapp/Commoncig/ccgiservlet?uid=chris&group=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
用一些長資料來檢查是否程式error handling做的好不好, 有沒有buffer overflow的問題.所以基本上它還算是一個還滿簡單的方法去做測試.
當然這裡也並不是那麼單純, 例如有些程式邏輯在uid一但不正確後, group便都不會檢查. 因此你這樣測試就沒有用了. 所以你也必須適時檢查程式邏輯, 已確定是否你的資料有用, 或是要怎樣combine input string.
目前我們使用到的fuzz data type for CGI testing大概有下列種類:
(1) DB relate: ‘; select 1 --
(2) Buffer overflow: 4096 of A
(3) Integer Buffer overflow: -1, -1024, 210+1
(4) Special characters: ~!@#$%^&*()_+...
所以這些資料非常重要, 你必須要收集大量這樣的字串, 這樣便能確保你的測試是否完整. 聽說網路還不少這樣的資料庫.
這裡我同事有找到一個地方有些Fuzz Testing的tools, 他是說還蠻好用的.可以試試看
http://www.dragoslungu.com/2007/05/12/my-favorite-10-web-application-security-fuzzing-tools/
另外在網路上我有找到一個地方有簡單介紹Fuzz Testing的工具, 大家也可以看一下
http://blog.chinaunix.net/u2/69926/showart_706962.html
在這裡我又找到Microsoft怎麼做Fuzz Testing
http://blogs.msdn.com/sdl/archive/2007/09/20/fuzz-testing-at-microsoft-and-the-triage-process.aspx
這裡是他們的流程, 細節部份可以直接看一下他的blog
Stage 1: Prerequisites
* Identifying the targets (program interfaces to fuzz)
* Prioritizing your efforts (test planning)
* Setting Bug Bar
Stage 2: Creation of fuzzed data (malformed data)
* Will we be format-aware (e.g. most files follow a format)? Context-aware (e.g. order and/or timing of data may be important)?
* Will we use existing data (mutation) or generate it from scratch (generation)?
* Will the malformations we apply be based on type? Use interesting patterns? Over how many bits/bytes?
* Will we apply malformations with or without restriction? Are we going to be deterministic or random or both? How many times in a single iteration do we apply any given malformation?
Stage 3: Delivery of fuzzed data to the application under test
* Determining the best method to get the application under test to consume the fuzzed data (e.g. load path from cmd-line or GUI; API hooking; MITM proxies; DLL redirection; in-memory start-stop-rewind, etc)
* Implementing the appropriate delivery mechanism and conducting the test
Stage 4: Monitoring of application under test for signs of failure
* What should we look for?
* What do we do when we see it?
Stage 5: Triaging Results
* How can we classify and analyze issues found?
Stage 6: Identify root cause, fix bugs, rerun failures, analyze coverage data (rinse and repeat)
留言列表
