发新话题
打印

[TIPS]Fuzz Testing of Application Reliability(专题文章)

[TIPS]Fuzz Testing of Application Reliability(专题文章)

原始连接:http://www.cs.wisc.edu/~bart/fuzz/
信息来源:邪恶八进制信息安全团队(www.eviloctal.com

Fuzz testing a simple technique for feeding random input to applications. While random testing is a time-honored technique, our approach has three characteristics that, when taken together, makes it somewhat different from other approaches.

The input is random. We do not use any model of program behavior, application type, or system description. This is sometimes called black box testing. In the command-line studies (1990, 1995, and 2006), the random input was simply random ASCII character streams. For our X-Window study (1995), Windows NT study (2000), and Mac OS X study (2006), the random input included cases that had only valid keyboard and mouse events.
Our reliability criteria is simple: if the application crashes or hangs, it is considerd to fail the test, otherwise it passes. Note that the application does not have to respond in a sensible manner to the input, and it can even quietly exit.
As a result of the first two characteristics, fuzz testing can be automated to a high degree and results can be compared across applications, operating systems, and vendors.
We encourage your feedback and comments.

Below are links to the fuzz papers and the software:

2006 Mac OS X Fuzz Report ( Fuzz-MacOS.ps.rar (74 KB) ,   Fuzz-MacOS.pdf.rar (63 KB) ).

B.P. Miller, G. Cooksey and F. Moore, "An Empirical Study of the Robustness of MacOS Applications Using Random Testing", First International Workshop on Random Testing, Portland, Maine, July 2006.

2000 Windows NT Fuzz Report ( fuzz-nt.ps.rar (74 KB) ,   fuzz-nt.ps.gz (80 KB) ,   fuzz-nt.pdf.rar (56 KB) , HTML).

J.E. Forrester and B.P. Miller, "An Empirical Study of the Robustness of Windows NT Applications Using Random Testing", 4th USENIX Windows Systems Symposium, Seattle, August 2000. Appears (in German translation) as "Empirische Studie zur Stabilit鋞 von NT-Anwendungen", iX, September 2000.

1995 "Fuzz Revisited" Report ( fuzz-revisited.ps.rar (67 KB) ,   fuzz-revisited.ps.gz (72 KB) ,   fuzz-revisited.pdf.rar (59 KB) ).

B.P. Miller, D. Koski, C.P. Lee, V. Maganty, R. Murthy, A. Natarajan, and J. Steidl, "Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services", Computer Sciences Technical Report #1268, University of Wisconsin-Madison, April 1995. Appears (in German translation) as "Empirische Studie zur Zuverlasskeit von UNIX-Utilities: Nichts dazu Gerlernt", iX, September 1995.

1990 Original Fuzz Report ( fuzz.ps.rar (43 KB) ,   fuzz.ps.gz (45 KB) ,   fuzz.pdf.rar (53 KB) ).

B.P. Miller, L. Fredriksen, and B. So, "An Empirical Study of the Reliability of UNIX Utilities", Communications of the ACM 33, 12 (December 1990). Also appears (in German translation) as "Fatale Fehlertractigkeit: Eine Empirische Studie zur Zuverlassigkeit von UNIX-Utilities", iX, March 1991.

The Fuzz Software FTP Site

Slides from Fuzz-Revisited (1995) Talk ( fuzz-revisited-talk.ps.rar (41 KB) ,   fuzz-revisited-talk.pdf.rar (40 KB) ).

If you have reported on the use of the fuzz tools on testing other systems or more recent testing of the systems that we have tested, please send us email and we would be glad to provide a link to the report:
曾几何时,有人对我说:装B遭雷劈。我说:去你妈的。于是,这个人又对我说:如果再说脏话,上帝会惩罚你的。我说:我操上帝。结论:彪悍的人生不需要上帝。

TOP

发新话题