Fuzz security testing
Fuzzing refers to security testing techniques which leverage automation to provide a program with invalid or unexpected input with the intention of uncovering security vulnerabilities such as crashes, buffer overflows, use after free bugs, memory leaks and race conditions. A combination of fuzzing techniques are typically used alongside each other to thoroughly test a target application for vulnerabilities.
Coverage guided fuzzing is a technique which leverages compile-time instrumentation to trace inputs whilst a program is in execution with the aim of maximizing code coverage.
Mutation based and generation based fuzzing techniques do not rely on knowing about a target's internal behavior or implementation. Instead, they use the output of a mutation engine and integrate it into well-formed input that the target would be able to consume.
What do we cover?
The scope of a fuzzing test is very much tailored to your project's requirements. The following are some examples of common targets during fuzz testing engagements:
- SIP servers, clients and proxy fuzzing
- HTTP and WebSocket server fuzzing
- Fuzzing of custom network protocols
- Fuzzing of file or message parsers
- Fuzzing of custom software packages and libraries
The following are the primary techniques employed in a fuzz testing engagement:
- Coverage-guided fuzzing using source code instrumentation
- Mutation based and generation based fuzzing, usually augmented by custom software that constructs the fuzzer's input into valid datagrams and/or files expected by the target.
How does the process look like?
Most of our engagements follow these steps:
- First step is that you contact us, so that discussions on what you have in mind take place to identify the goals for the exercise and the scope
- With your help, we perform a scoping exercise to better understand the size of the project
- We provide you with our proposal which describes the goals, the scope, the methodology, deliverables, dates allocated for the project, terms and conditions and the price
- The actual work takes place during the allocated dates; your IT staff involved in the project often need to be available during the tests
- Upon completing our work, we provide you with our technical and executive reports in addition to any other deliverables
- Testing of the security fixes finally takes place, and the reports are updated to reflect results from the retest
What are the deliverables?
At the end of the project, we provide the following:
- Executive report, which is an easy to follow 4 page document that includes:
- information about the penetration test
- list of the findings rated by severity
- a summary of the results, giving our honest impression of the system
- our suggestions on what needs to be done to address the vulnerabilities found and prevent similar ones in the future
- Detailed technical report, which includes the following sections:
- Introduction, which describes the scope, methodology and purpose of the work
- Findings and recommendations, each categorized according to vulnerability severity
- Methodology, which describes our tests to explain what was covered and how; this would include both tests that led to vulnerability discoveries, and also those that did not
- Other material is often provided such as:
- Dedicated exploit code and tools to reproduce the security issues found
- Conference calls and online chats to brief the involved executives and technical teams on our findings
- Assistance with addressing the vulnerabilities found
- Follow-up tests once security fixes have been applied
What costs can one expect?
Prices for similar penetration tests start at 12,000 EUR. Cost is dependent on the size and complexity of the system on test and the level of rigour in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.