Fuzzing for Quality Assurance

Image for post
Image for post

Over the past decade, I’ve had the opportunity to develop and test a lot of software. Specifically software to gain access to computers and harvest valuable information. Yep, we’re talking about exploits and implants…

With that said, I’m willing to bet quality assurance is low on everyone’s mind when it comes to top tier “hacking tools”. However, the QA process is the backbone of what it takes to operate at that level. Unlike a web browser or the mobile app du jour, there’s no room for error when it comes to malware. Think about it…if you crash a box, you’re caught. If you get logged, you’re caught (at least you should be :). If you fail to handle the latest security product or exploit mitigation…you’re caught! And when your exploit or implant gets caught, it’s time to start over.

Image for post
Image for post

Could you imagine if Pokémon Go had to be rewritten from scratch every time it crashed a certain number of times? Hell, the product wouldn’t have released until 2018! Even at that rate, it wouldn’t support the newest/latest/greatest phones and operating systems. Despite these hurdles, my team was able to build a company which delivered software to customer’s with the highest quality assurance standards. To do this at scale, we leveraged an insane amount of automated testing which heavily leveraged fuzzing (also called “fuzz testing”).

For those not familiar, fuzzing refers to a software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for crashes, failing code assertions, or potential memory leaks. Considering that fuzzing is commonly used by cyber security researchers to find software vulnerabilities, it’s obvious why software developers should use the same techniques to discover bugs first!

Image for post
Image for post

To help address this issue, @chrisbisnett and I put together a two day course called Fuzzing For Vulnerabilities which:

  • Crawls through fuzzing foundations like mutation/generative-based fuzzers & instrumentation.
Image for post
Image for post
General overview of most fuzzers (courtesy of Mozilla)

If you’re a developer looking to improve the quality of your software, we’d love for you to join our next class! We’re cyber security veterans (10 years in the US Intelligence Community) with first hand experience fuzzing software to discover and exploit vulnerabilities. We’ve also taught this class seven times at BlackHat and published a high level video blog on fuzzing over at Cybrary.

If you like what you read or know someone who could benefit from this blog, don’t hesitate to share! Sharing is caring, and caring helps pay our bills :P

Written by

Ethical Hacker. Malware Connoisseur. CEO at @HuntressLabs.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store