Fraunhofer FOKUS institute releases Fuzzino fuzzing library
Researchers from FOKUS (Fraunhofer Institute for Open Communication Systems) in Germany have released the Fuzzino data fuzzing library as open source software. The library allows existing test tools to be prepared for fuzzing and aims to make the development of new fuzzing tools unnecessary. Fuzzing is the process of testing a system for hidden weaknesses by presenting the system with random and sometimes erroneous input data.
Fuzzino uses models of protocols or interfaces to generate test cases and then uses "Smart Fuzzing" heuristics to generate Data fuzzing and Behavioural fuzzing. This, the institute says, reduces the number of test cases needed over purely random fuzzing. An example given is work done by FOKUS and system experts on a risk assessment for a money-processing machine. The experts examined the system's protocols, developed functional test cases and then used those test cases to fuzz the system. The results of that fuzzing generated more test cases from which specific security tests could be generated; this process offered a far higher coverage of risk than could be managed normally in the same time.
Fuzzino is based on Eclipse and users will need Eclipse EMF 2.7 and JUnit 4 to compile it and integrate it with their testing tools. The FOKUS developers say that users should keep in mind that Fuzzino is not a full featured fuzzing tool. They describe it as "a test data generator for enabling your testing tool to perform fuzzing". Users can receive fuzz data from the tool as XML documents or directly within Java to avoid the processor intensive serialisation and deserialisation process. Users can also directly instantiate fuzzing heuristics from Fuzzino in their testing tool.
More information on how to use the tool is available in the documentation folder of the source code. Fuzzino is licensed under version 2.0 of the Apache License.