Software Security: Identification of hitherto unknown vulnerabilities (Zero-Day Vulnerabilities and Less-Than-Zero-Day-Vulnerabilities) in standard and individual software with the aid of Dynamic Analysis – Fuzzing

Due to the large size of code mostly used, it is often impractical to perform manual checks for security-critical software bugs and vulnerabilities. The conventional methods used to date to fix functional bugs – hitherto not identified vulnerabilities in particular – are very expensive. This is why a lot of vulnerabilities are not identified until the software has been delivered to the customer – at times by third parties.

Dynamic Analysis: Fuzzing is a cost–effective method used to identify vulnerabilities in software and hardware. It can be applied to any type of software – from protocols through to individual software; from standard software, such as ERP, CRM and data base systems, including customized company software, through to web applications, operating systems, hardware and embedded systems and Apps for Smartphones also.

Technique/Method Used

Hitherto unknown bugs and vulnerabilities can be identified using the tool-based and cost-efficient method of
Dynamic Analysis: Fuzzing, which can be employed without the user knowing the source code. The Fuzzing method is successfully utilized by small and medium–sized enterprises (SMEs) and large software producers to identify
vulnerabilities in time and thus, to reduce the costs of the entire patching procedure. Even end consumers use this technique to carry out approval tests of software deliveries.

Fuzzing is a semi–automated method used to identify vulnerabilities in hard–ware and software (exploitable by attacks): with the aid of a Fuzzing–tool the target program interface is supplied with malformed input data to detect unexpected entry data that has not been accounted for in the programming code. Incorrect or insufficient processing of this (unexpected) data leads to unexpected behaviour (crash, high usage of such resources as calculation CPU-time, storage capacity) of the target program. The abnormal behaviour of the program is recorded, pre-analyzed and displayed with a monitor. False positives can be ruled out by analyzing the monitored results, whereas vulnerabilities can be identified by intentionally re–triggering the anomaly and devising an exploit.

Black-Box-Testing: To use this technique, the software user is only required to know the executable machine code
(exe file).

In contrast to Fuzzing, traditional penetration testing only includes the identification of known vulnerabilities (vulnerability scanners), open ports, etc.

Achievements of Fuzzing

  • Tool combination: Depending on the method used, tools suited to each target software are selected utilized in a specific way. Specific tools are needed to identify particular vulnerabilities.
  • Fuzzer effectiveness varies considerably according to the fuzz data generated (i.e. the data entered into the target program) and/or the algorithm used to generate this fuzz data. softScheck can draw on its own fuzzdataset, which has been optimized in accordance with the target program.
  • Fuzzing is already being successfully utilized by large and small software producers to sustainably reduce the costs of bug fixing and patching. This method is also employed by software users to carry out approval tests of software deliveries.
  • Systematic Fuzzing requires 8 hours of manual work on average per identified(hitherto unidentified) critical vulnerability that can be exploited from the internet. This is an important argument in view of the testing budget, which is usually closely restricted.