Episode 474: Paul Butcher on Fuzz Testing
Topics covered
Popular Clips
Episode Highlights
Fuzz Testing
Fuzz testing is a unique approach that focuses on the behavior of software when exposed to unexpected inputs, rather than just verifying expected outputs. explains that this method is particularly useful for identifying vulnerabilities in software systems, especially in fields like defense and aerospace, where guidelines such as Do 178 C are prevalent 1. He emphasizes that fuzz testing is more about vulnerability identification than meeting specific safety requirements 2.
Fuzz testing is more for vulnerability identification. And once you've identified a vulnerability in your system, depending on where you are in your software development lifecycle, you may be able to correct that vulnerability.
---
This technique is often employed later in the software development lifecycle, although earlier implementation can yield greater benefits 2.
Testing Comparison
Fuzz testing stands apart from traditional testing methods like verification testing by focusing on unexpected inputs and system behavior. contrasts it with positive testing, which verifies that a system meets its requirements, and negative testing, which ensures unauthorized actions are blocked 3. He also highlights mutation-based testing, which refines the brute-force approach by generating more meaningful test cases 4.
Mutation algorithms differ from a much simpler form of fuzz testing that is commonly known as brute force or black box testing.
---
This allows deeper exploration into the software's control flow, enhancing the effectiveness of fuzz testing 4.
Security Impact
Fuzz testing plays a crucial role in identifying security vulnerabilities within software projects. shares an anecdote about discovering a bug in a secondary library through fuzz testing, illustrating its unexpected yet valuable insights 5. This method not only detects crashes but also identifies anomalies like buffer overflows, which may not immediately crash the system but pose significant risks 6.
You could have a buffer overflow that writes into the next area of stack, but the program is now operating in an unknown and potentially dangerous state.
---
The process can be resource-intensive, often requiring parallel execution on high-end servers to manage complex systems effectively 6.
Related Episodes
SE Radio 632: Goran Petrovic on Mutation Testing at Google
Answers 383 questions
Episode 461 Michael Ashburne and Maxwell Huffman on Quality Assurance
Answers 383 questions
Episode 167: The History of JUnit and the Future of Testing with Kent Beck
Answers 383 questions
Episode 441 Shipping Software - With Bugs
Answers 383 questions
366: Test Automation
Answers 383 questions
SE-Radio Episode 325: Tammy Butow on Chaos Engineering
Answers 383 questions
Episode 129: F# with Luke Hoban
Answers 383 questions
Episode 44: Interview Brian Goetz and David Holmes
Answers 383 questions
Episode 521: Phillip Mayhew on Test Automation in Gaming
Answers 383 questions
Episode 101: Andreas Zeller on Debugging
Answers 383 questions
Episode 155: Johannes Link & Lasse Koskela on TDD
Answers 383 questions
Episode 22: Feedback
Answers 383 questions
SE-Radio Episode 256: Jay Fields on Working Effectively with Unit Tests
Answers 383 questions
Episode-467-Kim-Carter-on-Dynamic-Application-Security-Testing
Answers 383 questions
Episode 17: Feedback and Roadmap
Answers 383 questions