模糊测试笔记

1. 定义

In the academic world, fuzzing can be most closely related to boundary value analysis (BVA), where you look at the range of known good values for a particular input and create test values that straddle the boundary cases of known good and bad values.

It is typically an automated or semiautomated process that involves repeatedly manipulating and supplying data to target software for processing. All fuzzers fall into one of two categories: mutation-based fuzzers(变异测试), which apply mutations on existing data samples to create test cases, and generation-based fuzzers(生成测试), which create test cases from scratch by modeling the target protocol(协议) Or file format(文件格式).

1.1. 边界值分析(boundary value analysi)

BVA is another Black Box Test Design Technique, which is used to find the errors at boundaries of input domain (tests the behavior of a program at the input boundaries) rather than finding those errors in the centre of input. So, the basic idea in boundary value testing is to select input variable values at their: minimum, just above the minimum, just below the minimum, a nominal value, just below the maximum, maximum and just above the maximum.

That is, for each range, there are two boundaries, the lower boundary (start of the range) and the upper boundary (end of the range) and the boundaries are the beginning and end of each valid partition. We should design test cases which exercise the program functionality at the boundaries, and with values just inside and outside the boundaries. Boundary value analysis is also a part of stress and negative testing.

  • Suppose, if the input is a set of values between A and B, then design test cases for A, A+1, A-1 and B, B+1, B-1.

2. 阶段(FUZZING PHASES)

  1. Identify target
    1. 确定目标先于选择模糊测试工具
  2. Identify inputs
    1. Virtually all exploitable vulnerabilities are caused by applications accepting user input and processing that data without first sanitizing it or applying validation routines. Enumerating input vectors(枚举输入向量) is pivotal to the success of fuzzing.
    2. Anything sent from the client to the target should be considered an input vector. That includes headers, filenames, environment variables, registry keys, and so on. All should be considered input vectors and are therefore potential fuzz variables.
  3. Generate fuzzed data (automation)
    1. 设计输入的值?
  4. Execute fuzzed data (automation)
  5. Monitor for exceptions(异常)
  6. Determine exploitability

2.1. LIMITATIONS AND EXPECTATIONS

we present several classes of vulnerabilities that typically go undiscovered by a fuzzer

  1. ACCESS CONTROL FLAWS(缺陷)
    1. fuzzer does not have an understanding of the logic of the program. There is no way for the fuzzer to know that the admin area should not be accessible to a regular user.
  2. POOR DESIGN LOGIC
    1. 从超出程序设计预期的的地方产生的攻击
  3. BACKDOORS
    1. For a fuzzer, with limited or no information about the structure of a target application, a backdoor is seen no differently than any other target logic, such as a login screen. Both are simply input vectors receiving authentication credentials.
    2. 输入密码时,恶意字符可以被fuzzer发现,但硬编码密码(hard-core password)则不行
  4. MEMORY CORRUPTION
    1. Consider, for example, a format string vulnerability that could go undetected without attaching with a debugger to the target process.
  5. MULTISTAGE VULNERABILITIES
    1. Complex attacks Often involve leveraging several vulnerabilities in succession to compromise a machine. Fuzzing might be useful for identifying the individual flaws but will not generally be valuable for chaining together a series of minor(/ˈmʌɪnə/) vulnerabilities or otherwise uninteresting events to identity a multivector attack.