Contents -- Foreword -- Preface -- Acknowledgments -- CHAPTER 1 Introduction -- 1.1 Software Security -- 1.1.1 Security Incident -- 1.1.2 Disclosure Processes -- 1.1.3 Attack Surfaces and Attack Vectors -- 1.1.4 Reasons Behind Security Mistakes -- 1.1.5 Proactive Security -- 1.1.6 Security Requirements -- 1.2 Software Quality -- 1.2.1 Cost-Benefit of Quality -- 1.2.2 Target of Test -- 1.2.3 Testing Purposes -- 1.2.4 Structural Testing -- 1.2.5 Functional Testing -- 1.2.6 Code Auditing -- 1.3 Fuzzing -- 1.3.1 Brief History of Fuzzing -- 1.3.2 Fuzzing Overview -- 1.3.3 Vulnerabilities Found with Fuzzing -- 1.3.4 Fuzzer Types -- 1.3.5 Logical Structure of a Fuzzer -- 1.3.6 Fuzzing Process -- 1.3.7 Fuzzing Frameworks and Test Suites -- 1.3.8 Fuzzing and the Enterprise -- 1.4 Book Goals and Layout -- CHAPTER 2 Software Vulnerability Analysis -- 2.1 Purpose of Vulnerability Analysis -- 2.1.1 Security and Vulnerability Scanners -- 2.2 People Conducting Vulnerability Analysis -- 2.2.1 Hackers -- 2.2.2 Vulnerability Analysts or Security Researchers -- 2.2.3 Penetration Testers -- 2.2.4 Software Security Testers -- 2.2.5 IT Security -- 2.3 Target Software -- 2.4 Basic Bug Categories -- 2.4.1 Memory Corruption Errors -- 2.4.2 Web Applications -- 2.4.3 Brute Force Login -- 2.4.4 Race Conditions -- 2.4.5 Denials of Service -- 2.4.6 Session Hijacking -- 2.4.7 Man in the Middle -- 2.4.8 Cryptographic Attacks -- 2.5 Bug Hunting Techniques -- 2.5.1 Reverse Engineering -- 2.5.2 Source Code Auditing -- 2.6 Fuzzing -- 2.6.1 Basic Terms -- 2.6.2 Hostile Data23 -- 2.6.3 Number of Tests -- 2.7 Defenses -- 2.7.1 Why Fuzzing Works -- 2.7.2 Defensive Coding -- 2.7.3 Input Verification -- 2.7.4 Hardware Overflow Protection -- 2.7.5 Software Overflow Protection -- 2.8 Summary -- CHAPTER 3 Quality Assurance and Testing -- 3.1 Quality Assurance and Security.

3.1.1 Security in Software Development -- 3.1.2 Security Defects -- 3.2 Measuring Quality -- 3.2.1 Quality Is About Validation of Features -- 3.2.2 Quality Is About Finding Defects -- 3.2.3 Quality Is a Feedback Loop to Development -- 3.2.4 Quality Brings Visibility to the Development Process -- 3.2.5 End Users' Perspective -- 3.3 Testing for Quality -- 3.3.1 V-Model -- 3.3.2 Testing on the Developer's Desktop -- 3.3.3 Testing the Design -- 3.4 Main Categories of Testing -- 3.4.1 Validation Testing Versus Defect Testing -- 3.4.2 Structural Versus Functional Testing -- 3.5 White-Box Testing -- 3.5.1 Making the Code Readable -- 3.5.2 Inspections and Reviews -- 3.5.3 Code Auditing -- 3.6 Black-Box Testing -- 3.6.1 Software Interfaces -- 3.6.2 Test Targets -- 3.6.3 Fuzz Testing as a Profession -- 3.7 Purposes of Black-Box Testing -- 3.7.1 Conformance Testing -- 3.7.2 Interoperability Testing -- 3.7.3 Performance Testing -- 3.7.4 Robustness Testing -- 3.8 Testing Metrics -- 3.8.1 Specification Coverage -- 3.8.2 Input Space Coverage -- 3.8.3 Interface Coverage -- 3.8.4 Code Coverage -- 3.9 Black-Box Testing Techniques for Security -- 3.9.1 Load Testing -- 3.9.2 Stress Testing -- 3.9.3 Security Scanners -- 3.9.4 Unit Testing -- 3.9.5 Fault Injection -- 3.9.6 Syntax Testing -- 3.9.7 Negative Testing -- 3.9.8 Regression Testing -- 3.10 Summary -- CHAPTER 4 Fuzzing Metrics -- 4.1 Threat Analysis and Risk-Based Testing -- 4.1.1 Threat Trees -- 4.1.2 Threat Databases -- 4.1.3 Ad-Hoc Threat Analysis -- 4.2 Transition to Proactive Security -- 4.2.1 Cost of Discovery -- 4.2.2 Cost of Remediation -- 4.2.3 Cost of Security Compromises -- 4.2.4 Cost of Patch Deployment -- 4.3 Defect Metrics and Security -- 4.3.1 Coverage of Previous Vulnerabilities -- 4.3.2 Expected Defect Count Metrics -- 4.3.3 Vulnerability Risk Metrics -- 4.3.4 Interface Coverage Metrics.

4.3.5 Input Space Coverage Metrics -- 4.3.6 Code Coverage Metrics -- 4.3.7 Process Metrics -- 4.4 Test Automation for Security -- 4.5 Summary -- CHAPTER 5 Building and Classifying Fuzzers -- 5.1 Fuzzing Methods -- 5.1.1 Paradigm Split: Random or Deterministic Fuzzing -- 5.1.2 Source of Fuzz Data -- 5.1.3 Fuzzing Vectors -- 5.1.4 Intelligent Fuzzing -- 5.1.5 Intelligent Versus Dumb (Nonintelligent) Fuzzers -- 5.1.6 White-Box, Black-Box, and Gray-Box Fuzzing -- 5.2 Detailed View of Fuzzer Types20 -- 5.2.1 Single-Use Fuzzers -- 5.2.2 Fuzzing Libraries: Frameworks -- 5.2.3 Protocol-Specific Fuzzers -- 5.2.4 Generic Fuzzers -- 5.2.5 Capture-Replay -- 5.2.6 Next-Generation Fuzzing Frameworks: Sulley -- 5.2.7 In-Memory Fuzzing -- 5.3 Fuzzer Classification via Interface -- 5.3.1 Local Program -- 5.3.2 Network Interfaces -- 5.3.3 Files -- 5.3.4 APIs -- 5.3.5 Web Fuzzing -- 5.3.6 Client-Side Fuzzers -- 5.3.7 Layer 2 Through 7 Fuzzing -- 5.4 Summary -- CHAPTER 6 Target Monitoring -- 6.1 What Can Go Wrong and What Does It Look Like? -- 6.1.1 Denial of Service (DoS) -- 6.1.2 File System-Related Problems -- 6.1.3 Metadata Injection Vulnerabilities -- 6.1.4 Memory-Related Vulnerabilities -- 6.2 Methods of Monitoring -- 6.2.1 Valid Case Instrumentation -- 6.2.2 System Monitoring -- 6.2.3 Remote Monitoring -- 6.2.4 Commercial Fuzzer Monitoring Solutions -- 6.2.5 Application Monitoring -- 6.3 Advanced Methods -- 6.3.1 Library Interception -- 6.3.2 Binary Simulation -- 6.3.3 Source Code Transformation -- 6.3.4 Virtualization -- 6.4 Monitoring Overview -- 6.5 A Test Program -- 6.5.1 The Program -- 6.5.2 Test Cases -- 6.5.3 Guard Malloc -- 6.5.4 Valgrind -- 6.5.5 Insure++ -- 6.6 Case Study: PCRE -- 6.6.1 Guard Malloc -- 6.6.2 Valgrind -- 6.6.3 Insure++ -- 6.7 Summary -- CHAPTER 7 Advanced Fuzzing -- 7.1 Automatic Protocol Discovery -- 7.2 Using Code Coverage Information.

7.3 Symbolic Execution -- 7.4 Evolutionary Fuzzing -- 7.4.1 Evolutionary Testing -- 7.4.2 ET Fitness Function -- 7.4.3 ET Flat Landscape -- 7.4.4 ET Deceptive Landscape -- 7.4.5 ET Breeding -- 7.4.6 Motivation for an Evolutionary Fuzzing System -- 7.4.7 EFS: Novelty -- 7.4.8 EFS Overview -- 7.4.9 GPF + PaiMei + Jpgraph = EFS -- 7.4.10 EFS Data Structures -- 7.4.11 EFS Initialization -- 7.4.12 Session Crossover -- 7.4.13 Session Mutation -- 7.4.14 Pool Crossover -- 7.4.15 Pool Mutation -- 7.4.16 Running EFS -- 7.4.17 Benchmarking -- 7.4.18 Test Case-Golden FTP Server -- 7.4.19 Results -- 7.4.20 Conclusions and Future Work -- 7.5 Summary -- CHAPTER 8 Fuzzer Comparison -- 8.1 Fuzzing Life Cycle -- 8.1.1 Identifying Interfaces -- 8.1.2 Input Generation -- 8.1.3 Sending Inputs to the Target -- 8.1.4 Target Monitoring -- 8.1.5 Exception Analysis -- 8.1.6 Reporting -- 8.2 Evaluating Fuzzers -- 8.2.1 Retrospective Testing -- 8.2.2 Simulated Vulnerability Discovery -- 8.2.3 Code Coverage -- 8.2.4 Caveats -- 8.3 Introducing the Fuzzers -- 8.3.1 GPF -- 8.3.2 Taof -- 8.3.3 ProxyFuzz -- 8.3.4 Mu-4000 -- 8.3.5 Codenomicon -- 8.3.6 beSTORM -- 8.3.7 Application-Specific Fuzzers -- 8.3.8 What's Missing -- 8.4 The Targets -- 8.5 The Bugs -- 8.5.1 FTP Bug 0 -- 8.5.2 FTP Bugs 2, 16 -- 8.6 Results -- 8.6.1 FTP -- 8.6.2 SNMP -- 8.6.3 DNS -- 8.7 A Closer Look at the Results -- 8.7.1 FTP -- 8.7.2 SNMP -- 8.7.3 DNS -- 8.8 General Conclusions -- 8.8.1 The More Fuzzers, the Better -- 8.8.2 Generational-Based Approach Is Superior -- 8.8.3 Initial Test Cases Matter -- 8.8.4 Protocol Knowledge -- 8.8.5 Real Bugs -- 8.8.6 Does Code Coverage Predict Bug Finding? -- 8.8.7 How Long to Run Fuzzers with Random Elements -- 8.8.8 Random Fuzzers Find Easy Bugs First -- 8.9 Summary -- CHAPTER 9 Fuzzing Case Studies -- 9.1 Enterprise Fuzzing -- 9.1.1 Firewall Fuzzing -- 9.1.2 VPN Fuzzing.

9.2 Carrier and Service Provider Fuzzing -- 9.2.1 VoIP Fuzzing -- 9.2.2 WiFi Fuzzing -- 9.3 Application Developer Fuzzing -- 9.3.1 Command-Line Application Fuzzing -- 9.3.2 File Fuzzing -- 9.3.3 Web Application Fuzzing -- 9.3.4 Browser Fuzzing -- 9.4 Network Equipment Manufacturer Fuzzing -- 9.4.1 Network Switch Fuzzing -- 9.4.2 Mobile Phone Fuzzing -- 9.5 Industrial Automation Fuzzing -- 9.6 Black-Box Fuzzing for Security Researchers -- 9.6.1 Select Target -- 9.6.2 Enumerate Interfaces -- 9.6.3 Choose Fuzzer/Fuzzer Type -- 9.6.4 Choose a Monitoring Tool -- 9.6.5 Carry Out the Fuzzing -- 9.6.6 Post-Fuzzing Analysis -- 9.7 Summary -- About the Authors -- Bibliography -- Index.