'Father of fuzzing' says hackers shouldn’t get a free ride

24 May 2019
Professor Barton Miller

This article was first published by UQ's Faculty of Engineering, Architecture and Information Technology on 22 May 2019. RCC has re-published (and updated) it with permission.
 

An industry hero and pioneer in the cyber security and software testing fields visited The University of Queensland this week to deliver a special workshop, shining a light on the latest cyber security practices and tools. He also delivered a RCC seminar, discussing the problem of developing tools and middleware for large-scale parallel environments.

Professor Barton Miller is widely known as the ‘father’ of fuzzing, a technique used by software security testers, and almost all penetration testers and security experts to discover security errors in software.

Chair and Director of UQ Cyber Security Professor Ryan Ko said anyone working or studying in this area has been a beneficiary of Professor Miller’s inventions.

“If you are in the field of cyber security, you have most likely used fuzzing for your security assessments,” Professor Ko said.

Speaking ahead of the workshop, Professor Ko said: “This is the first time Professor Miller will conduct a workshop in Australia, so this is especially exciting for us at UQ Cyber Security and the Research Computing Centre to have the opportunity to host him and his colleague, software vulnerability assessment expert Professor Elisa Heymann.

“The event is relevant not just to our students but to all professionals in the software engineering and cyber security sectors.”

“The techniques he and Professor Heymann are going to teach are critical to understanding security issues during software development and developing skills to secure code and automate software assessment.”


On a stormy night in 1988, Professor Miller came up with the idea of fuzzing. He was trying to use his desktop computer in his office via a terminal at home and the heavy rain was introducing noise into the phone line. He was surprised to find that this seemed to cause his computer programs to crash, so he set about systematically investigating the issue to try to understand the extent of the problem and the cause.

This led to the development of his method of using random data tweaks to dig up bugs. We asked Professor Miller to tell us more about his pride and joy.

UQ: What is fuzzing?

BM: Fuzz testing is basically throwing random input at a program and seeing if it crashes or stops responding ("hangs"). This is a very crude model of testing. Under this model, we don't care if the program does something strange, only if it crashes or hangs.  So, your accounting program could print out Abraham Lincoln's Gettysburg Address in Croatian, and, while that would be quite strange, it wouldn't be considered a failure under fuzz testing.

So, fuzz testing (or "fuzzing" as it's often called) is, in its original form, a type of black box testing, where you don't know (or have to know) anything about the structure or intent of the program.

The key idea is that fuzz testing is easy and fast and tends to find bugs. Not all bugs, but can find important ones. It's the perfect starting place for a program testing regime. Note that it's not the whole story; you still need to do serious functional and unit testing of your code.

Fuzz testing has also turned into a basic tool for security evaluation. Hackers (either white hat or black hat) will often "fuzz" a program to see if it will crash. If it does crash, that means that the programmer did not write the program in such a way that they had full control of its execution.

The crash indicates that the attacker made the program's code do something that the designer did not intend. Once the attackers finds such a behaviour, they then try to tune the random input in a way that lets them take specific control over the program.

It's an interesting exercise, but one that leads to many successful exploits of a program.

UQ: How did fuzzing get its name?

BM: In the process of writing the project description for our first research paper on this form of testing in 1990, I needed to give it a name. I wanted a name that would evoke the feeling of random, unstructured data. After trying out several ideas, I settled on the term ‘fuzz’.

UQ: What can happen if these testing processes are skipped?

BM: If you do not sufficiently test a program with something simple like fuzz testing, you can be sure that an attacker will do so. And that's just giving them a free ride.

UQ: What does the future of this space look like?

BM: There is an enormous amount of ongoing research into new and varied ways to conduct and apply fuzz testing, done by many other people besides myself. And lots of useful fuzz tools are being written. Just Google "fuzz tools" to get an idea of how broad the community is now. My favourite tool is AFL (American Fuzzy Lop), which makes some interesting innovations by combining an analysis of the structure of the program with random testing to help quickly find dangerous input sequences.
 

Media: Professor Barton Miller and Professor Ryan Ko are available for interviews, please contact UQ Communications, Genevieve Worrell, g.worrell@uq.edu.au, +61 408 432 213.

Latest