This process is often termed stress testing when performed by the
software developer. When performed by a vulnerability researcher, it is usually called
fuzzing. The difference in the two is that the software developer has a far better idea of
how he expects the software to respond than the vulnerability researcher, who is often
hoping to simply record something anomalous.
Fuzzing is one of the main techniques used in black/gray box testing. To fuzz effectively,
two types of tools are required, instrumentation tools and fuzzing tools. Instrumentation
tools are used to pinpoint problem areas in programs either at runtime or
during post-crash analysis. Fuzzing tools are used to automatically generate large numbers
of interesting input cases and feed them to programs. If an input case can be found
that causes a program to crash, you make use of one or more instrumentation tools to
attempt to isolate the problem and determine whether it is exploitable.
Instrumentation Tools
Thorough testing of software is a difficult proposition at best. The challenge to the tester
is to ensure that all code paths behave predictably under all input cases. To do this, test
cases must be developed that force the program to execute all possible instructions
within the program.
Pages:
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607