Fuzz testing, or fuzzing, originally meant a simple testing technique for feeding random input to applications (see Fuzz by University of Wisconsin, 1990). Today, it is much more optimized. Model-based fuzzing tools have been available since 1999, from research teams such as PROTOS. Fuzzing techniques can basically be divided in four different categories:
- Random fuzzing: has close to zero awareness of the tested interface.
- Capture-replay fuzzing: learns the protocol from templates such as traffic captures or files.
- Block-based fuzzing: breaks the syntax of the tested interface into blocks of data, which it semi-randomly mutates.
- Model-based fuzzing: builds an executable model of the protocol based on protocol specification, which it then uses for generating systematic non-random test cases.
In short, fuzzing is about negative testing, generation on non-conformant messages in order to crash software. The failures (crashes, hangs, busy-loops, …) are studied from risk analysis perspective to see if they are something that need to be fixed. Most discoveries can also be identified as software vulnerabilities.