Fuzz Testing

[Audio] Hello everyone my name is Robert, and I am here today to make a presentation about Fuzz Testing..

[Audio] What is Fuzz Testing, Put simply, fuzzing introduces unexpected inputs known as FUZZ into a system and watches to see if the system has any negative reactions to the inputs that indicate security, performance, or quality gaps or issues. Barton Miller, a professor at the University of Wisconsin, invented fuzz testing in 1989..

[Audio] Why do Fuzz Testing Usually, Fuzzy testing finds the most serious security fault or defect. Fuzz testing is used to check the Vulnerability of software. Fuzzing is one of the most common methods hackers used to find the vulnerability of the system..

[Audio] The advantages of Fuzz Testing include: Fuzz testing improves software Security Testing. Bugs found in fuzzing are sometimes severe and most of the time used by hackers including crashes, memory leaks, unhandled exceptions, etc. If any of the bugs fail to get noticed by the testers due to the limitation of time and resources those bugs are also found in Fuzz testing. Presents results with little attempt - as soon as a fuzzer is up and strolling, it may be left for hours, days, or months to search for bugs without an interaction. The disadvantages of Fuzz Testing include: Fuzz testing alone cannot provide a complete picture of an overall security threat or bugs. Fuzz testing alone cannot provide a complete picture of an overall security threat or bugs. Fuzz testing is less effective for dealing with security threats that do not cause program crashes, such as some viruses, worms, Trojan, etc. Fuzz testing can detect only simple faults or threats. To perform effectively, it will require significant time..

[Audio] Types of Fuzzers Fuzzers that modify existing data samples to produce new test data are known as mutation-based fuzzers. Generation-Based Fuzzers create new data based on the model's input. It starts from the beginning, producing input depending on the requirements. The most successful fuzzer is PROTOCOL-BASED- FUZZER, which has extensive knowledge of the protocol format being tested. The understanding depends on the specification. It involves writing an array of the specification into the tool then by using the model-based test generation technique going through the specification and adding irregularity in the data contents, sequence, etc. The Fuzzer can generate test cases from an existing one, or it can use valid or invalid inputs..

[Audio] Fuzz Testing Tools Developers can benefit from a whole range of open-source software fuzzing tools. There are often specialized for specific use cases or programming languages. But there are also a few commercial solutions that become relevant if you're working in larger development teams or DevOps environments. Usually, they come with more integrations and features, such as automated bug reporting, continuous integration, and continuous delivery, OWASP vulnerability detection, etc..

[Audio] Steps to Successful Fuzz Testing Step 1) Identifying the target system Step 2) Identifying inputs Step 3) Generating Fuzzed data Step 4) Executing the test using fuzzy data Step 5) Monitoring the system behavior Step 6) Logging defects.

[Audio] With each passing year, vehicles emerge as greater complicated and linked. International data corporation predicts that via 2023, almost 70% of worldwide new light-duty cars and trucks may have embedded connectivity. While this connectivity provides consumers the comfort they demand, it will increase the automobile's attack floor – USB connections, linked entertainment, navigation systems, and wireless systems. This makes automated security tests even more crucial to prevent criminals from stealing the automobile and compromising automobile systems, privateness, and safety of occupants. Due to increased security regulations, more and more software companies have to run automated security tests before shipping their software. That's why many industries and ISO standards recommend integrating automated fuzz testing into the development process. Especially in industries, that already have advanced quality and security regulations. A good example is ISO/ SAE 21434 and UNECE WP. 29, which deal with the security of automotive software..

[Audio] The following are the common challenges when fuzz testing: Where to start fuzzing? How to fuzz complex systems with dependencies? The dependencies within the automobile software make it difficult for builders to fuzz the programs nicely and the guide attempt remains very high How to integrate fuzz testing into the CI/ CD? Developers, safety specialists, and managers must be on the identical page about the consequences of these modifications and the way they affect certain methods..

[Audio] In conclusion, Fuzzing cannot guarantee the detection of bugs completely in an application. Remember… there is also a human component to automated bug finding Thank you for your time and for listening to my presentation about Fuzz testing. Please feel free to ask any questions.