What is fuzzing?
According to wikipedia, fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program, while monitoring for application crashes or exceptional conditions that the input may have caused.
The term “fuzz” was originally coined by Professor Barton Miller in the 80’s. Prof. Miller was remotely logged into a unix system over a dial-up network link during a storm, which was causing a lot of interference noise on the dial-up link and causing applications that were using data off the line to crash.
Professor Miller went on to assign a project to his class at the University of Wisconsin titled “Operating System Utility Program Reliability – The Fuzz Generator”, in which students were to develop a basic command-line fuzzer to test the reliability of Unix programs by bombarding them with random data and monitoring for any crashes.
Prior to the coining of the term “fuzzing”, the earliest known notable use of fuzzing was an application called “The Monkey” by Steve Capps in 1983. Steve had been writing a tool utilizing so-called “Journaling Hook” where a Macintosh computer could demo itself by playing back actions that had been previously recorded. This software was repurposed by Steve to create random mouse clicks and keyboard input, in order to test the MacWrite and MacPaint applications, which appeared to any observer as if an invisible monkey was erratically using the computer (hence the name).
From it’s early 1980’s accidental discovery, fuzzing has grown into a highly regarded technique for testing software for reliability when stressed with unexpected or invalid input. The biggest application of fuzzing has become the testing for security-related reliability issues, or vulnerabilities. The unexpected state that software can be left in when dealing with unexpected input is often perfect conditions for an attacker to modify the internals of an application and achieve their own goals.
Fuzzing has grown into a large component of information security today, with numerous vendors offering commercial fuzzing software and hardware. It is widely considered one of a few well-accepted approaches to interrogate software security and discover security issues. Notable software vendors such as Microsoft, Adobe, and Google have widely publicised their extensive fuzzing efforts aimed at increasing robustness of their software.