Since Barton Miller of the University of Wisconsin first proposed the concept of fuzz testing in 1988, the field of fuzz testing has experienced continuous and long-term development. As a software testing method, fuzz testing aims to detect and discover potential loopholes and errors by inputting fuzzy, random, and abnormal data into the program. This approach is favored by security researchers. Over time, the field has flourished with a rich variety of fuzzing tools.
According to the specific goals of the test, fuzzing tools can be divided into different categories, including file format fuzzing tools, network protocol fuzzing tools, operating system fuzzing tools, Web service fuzzing tools, focusing on specific programming languages fuzzing tools and more. These different types of fuzzing tools have brought innovative contributions to the improvement of software security. They probe and discover vulnerabilities and vulnerabilities in software in a targeted manner, which can help security personnel better understand potential security risks.
There are many alternative tools emerging in the field of fuzz testing. The following will introduce some well-known open source fuzz testing tools to help readers choose the tool that best suits their needs.
File format class fuzzing tool
The file format class fuzzing tool is mainly used to test the robustness and security of the file format parser, and it is specially for certain file formats, such as PDF, JPEG, MP3, etc. Try to trigger unhandled exceptions in the target program by generating random input data that does not conform to the file specification, including buffer overflow, memory leak and other errors.
01
AFL
AFL (American Fuzzy Lop) is a coverage-guided fuzz testing tool developed by security researcher Michał Zalewski (@lcamtuf), which adjusts the input samples to improve coverage by recording the code coverage of the input samples rate, increasing the probability of discovering vulnerabilities.
02
WinAFL
WinAFL is the Windows version of AFL, an open source fuzzing tool designed for the Windows platform. Different from traditional AFL, WinAFL uses DynamoRIO dynamic instrumentation technology to monitor the execution of the target program, collect code coverage information, and adjust input samples based on this feedback.
03
libFuzzer
libFuzzer is an open source fuzzing library developed by the LLVM project for continuous, evolutionary fuzzing. Unlike other tools such as AFL, libFuzzer is a fuzzer for library functions, which is directly linked with the target library functions without interacting with external programs.
Network protocol fuzz testing tool
The network protocol fuzzing tool is a testing tool specially used to test the security and robustness of the network protocol implementation. By sending random or semi-random data packets that may violate protocol specifications to the target system, it tries to cause abnormal behavior of the target system, such as crashes, memory errors, or more serious security issues.
01
Peach Fuzzer
Peach, previously a fuzzing framework complying with the MIT open source license, is the first comprehensive open source tool in which the creation of fuzzers is implemented by the XML language. There are three main versions of Peach, which were originally written in Python and released in 2004; the second version was released in 2007; Peach 3 was released in early 2013, and the entire framework was rewritten in C#. Peach supports fuzzing file formats, network protocols, APIs, and more. Peach provides a wealth of extension and customization functions to suit various testing needs and scenarios. It is worth noting that Peach was acquired by GitLab in 2020 and is no longer open source.
02
Boofuzz
Boofuzz is an open source network protocol fuzzing framework written in Python, inherited from Sulley. Boofuzz provides specifications and functional functions for fuzzing network protocols. Based on this, we can write Python scripts for our own targets, so that we can tailor fuzzing tools for specific targets.
03
AFLNet
AFLNet is a gray-box protocol fuzzing tool that uses techniques such as code coverage feedback, seed mutation, and state feedback. Compared with traditional generation-based protocol fuzzing tools, it uses the communication message data between Server and Client as a seed without any protocol specification. In essence, it simulates a Client to send a series of messages to the Server, and retains mutation data that can trigger new code execution paths or response states. AFLNet uses the response code on the server side to identify the different states triggered by the message sequence. According to this feedback, AFLNet can approach the effective state area as much as possible.
Operating system class fuzzing tool
The operating system fuzzing tool is a tool specially designed for fuzzing the operating system kernel and related components, aiming at automatically discovering and identifying potential vulnerabilities and defects. By generating random or semi-random inputs and feeding them into various layers and interfaces of the operating system, fuzzing tools attempt to trigger unintended behavior. Different from conventional fuzzing tools, operating system fuzzing tools need to deal with more complex environments and contexts, usually involving simulation and testing of underlying hardware, drivers, system calls, etc.
01
kAFL
kAFL (Kernel AFL) is a tool focused on fuzzing the Linux kernel and other complex kernel components. Based on the popular AFL design, kAFL triggers potential errors by automatically and continuously providing random or semi-random inputs. Unlike AFL, kAFL tests specifically for kernel-space code and can identify vulnerabilities that are difficult for user-space fuzzers to find. kAFL has virtualization technology support and can execute tests in virtual machines to ensure the isolation and safety of the test process. It also adopts a coverage-oriented approach, automatically adjusting the input to maximize the exploration of the execution path of the kernel code.
02
syzkaller
Developed and maintained by Google's security team, syzkaller is an efficient kernel fuzzing tool. It is mainly implemented using the Go programming language, compatible with various operating systems such as Linux, Android, FreeBSD, and Windows, and has successfully discovered thousands of vulnerabilities. syzkaller continuously generates and executes a series of randomized system calls in an attempt to trigger abnormal behavior of the kernel, such as crashes, deadlocks, or memory leaks.
Web service class fuzzing tool
The web service fuzzing tool is a security testing tool specially for web applications, which is used to automatically discover potential web security vulnerabilities. By generating a series of random or semi-random HTTP requests, web fuzzers are able to test various components of web applications such as URLs, forms, parameters, headers, etc. It can quickly identify common security issues such as SQL injection, cross-site scripting (XSS), file inclusion, and other security issues.
01
WFuzz
WFuzz is a web application security fuzzing tool and library implemented in Python. It's based on a simple idea: it replaces the value of a given payload with any reference to a keyword. It is an excellent auxiliary fuzzing tool that can insert various input values in HTTP requests for multiple complex attacks on different web application components, including parameters, authentication, forms, headers, and more.
02
WebScarab
WebScarab is an open source web application security testing tool developed and maintained by OWASP. It is a proxy tool written in Java that is mainly used to analyze and inspect HTTP and HTTPS traffic. It includes a basic fuzzer capable of injecting fuzzed values into application parameters.
Fuzzing tools for specific programming languages
A programming language-specific fuzzing tool is a tool specifically designed for a certain programming language to automatically detect vulnerabilities and bugs in code. Fuzzing tools for specific programming languages have deeper language integration and understanding, allowing for more precise testing against specific language features. These tools generally provide more efficient testing, are easier to integrate into development workflows, and uncover deeper, more specific issues than other fuzzing tools.
01
go-fuzz
go-fuzz is a fuzz testing tool for Go language, which uses coverage guidance technology to automatically find inputs that can trigger program exceptions. Tightly integrated with Go's toolchain, it can automatically discover and minimize the input that triggers vulnerabilities, effectively simplifying the vulnerability diagnosis and repair process. As an important tool for Go developers and security engineers, go-fuzz has successfully found vulnerabilities in many well-known Go projects.
02
Rabbit
Kelinci is a tool that cooperates with AFL for Java program fuzz testing, and analyzes program coverage by inserting Java bytecode. It communicates with AFL by creating a C language interface, receives the mutation data of AFL, and transmits it to the Instrumentor on the Java side through TCP. Instrumentor is responsible for passing these data to the original target program of Java, and feedback the operation result to the C language interface. Kelinci and AFL jointly constructed a closed-loop data flow, enabling AFL to perform effective fuzzing on Java programs indirectly.
03
shoot them
Fuzzilli is a JavaScript fuzz testing tool open sourced by Google, developed in swift language. It integrates multiple technologies such as grammatical mutation, template generation, coverage guidance, etc., uses a custom intermediate language for grammatical variation, and then converts the mutated intermediate language into JS code. Fuzzilli has gained a lot in the test of the three major JS engines and found many loopholes.
These open source tools provide security professionals with more options to find security vulnerabilities more effectively, which in turn drives the entire field of software security forward.