Fuzzing: The fun of crash testing software

It’s been around a while with the major companies, but it is fast becoming a popular way to compare the security of different software products.

Crash-testing software is a fast-growing way to see which programs hold up the best, according to speakers at an Infosec press conference in London.

Already used by hackers for some time, destructive software testing also called "fuzzing" or "fuzz testing" is a penetration technique different from traditional security measures, which look for already known attacks and vulnerabilities.

Instead of waiting for code to fail, fuzz testing proactively tries to break it, sending systematically broken inputs into software in order to crash it. Such fuzzing is said to break 80 per cent of tested software, discovering unknown flaws.

Ari Takenen, chief technical officer for Codenomicon, compared it to crash testing in the auto industry, which helps make product safety comparisons between vehicles more meaningful. In IT, the same comparisons could be made between software products.

Advertisement - Article continues below
Advertisement - Article continues below

He said: "Anyone can do it. It doesn't require core access to the source code and it's a really useful way of comparing the security of different products. This helps buyers to make really good choices, just like the car industry."

Takenen said all the major software companies have used fuzzing. HP and IBM have used "web fuzzing" products, he said. Although they didn't necessarily use that name for the technique, this is where testers look for vulnerabilities on web portals using the crash-testing system.

Takenen said even Google has fuzzed: "They have some dedicated people who act as fuzzers, and you see it at many other companies as well."

In 2007, Google released an open-source tool called Flayer', which finds multiple vulnerabilities in internet-critical products.

"I think they used their internal tools mostly in developing communication devices mostly Android, as well as all those critical communications like e-mail," Takenen said.

He said that fuzzing was a fast-growing market, with its applications used in different industries, from telecom service providers to critical industries such as finance, government and leading online commerce. Fuzzing products are built and licensed as software products or appliances, or offered as penetration testing and certification services.

Advertisement - Article continues below

Takenen also said that industry users from a number of control system users and manufacturers were investigating the feasibility of creating an organisation around fuzzing. This would establish a set of specifications and processes for the testing and certification of critical control systems products.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now


unified communications (UC)

Google developing all in one messaging app for business

29 Jan 2020
cloud computing

Google adds partners to real-time translation tools

8 Jan 2020

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019
search engine optimization (SEO)

Google is getting worse as it does more

21 Dec 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Microsoft Windows

Windows 7 bug blocks users from shutting down their PCs

10 Feb 2020