Fuzzing for Software Security Testing and Quality Assurance

"A fascinating look at the new direction fuzzing technology is taking -- useful for both QA engineers and bug hunters alike!" --Dave Aitel, CTO, Immunity Inc. Learn the code cracker's malicious mindset, so you can find worn-size holes in the software you are designing, testing, and building. Fuzzing for Software Security Testing and Quality Assurance takes a weapon from the black-hat arsenal to give you a powerful new tool to build secure, high-quality software. This practical resource helps you add extra protection without adding expense or time to already tight schedules and budgets. The book shows you how to make fuzzing a standard practice that integrates seamlessly with all development activities. This comprehensive reference goes through each phase of software development and points out where testing and auditing can tighten security. It surveys all popular commercial fuzzing tools and explains how to select the right one for a software development project. The book also identifies those cases where commercial tools fall short and when there is a need for building your own fuzzing tools.

[1]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[2]  Edward G. Amoroso,et al.  Fundamentals of computer security technology , 1994 .

[3]  J. Röning,et al.  The Vulnerability Process: A Tiger Team Approach to Resolving Vulnerability Cases , 1999 .

[4]  Barton P. Miller,et al.  An empirical study of the robustness of Windows NT applications using random testing , 2000 .

[5]  Juha Röning,et al.  Running Malicious Code By Exploiting Buffer Overflows: A Survey Of Publicly Available Exploits , 2000 .

[6]  Vtt Publications,et al.  A Functional Method for Assessing Protocol Implementation Security , 2001 .

[7]  Rauli Kaksonen,et al.  System Security Assessment through Specification Mutations and Fault Injection , 2001, Communications and Multimedia Security.

[8]  J. Röning,et al.  Introducing constructive vulnerability disclosures , 2001 .

[9]  Barry W. Boehm,et al.  Software Defect Reduction Top 10 List , 2001, Computer.

[10]  Juha Röning,et al.  Agents of responsibility in software vulnerability processes , 2004, Ethics and Information Technology.

[11]  Peter Oehlert,et al.  Violating Assumptions with Fuzzing , 2005, IEEE Secur. Priv..

[12]  M. Laakso,et al.  A case for protocol dependency , 2005, First IEEE International Workshop on Critical Infrastructure Protection (IWCIP'05).

[13]  Richard J. Enbody,et al.  Secure Bit: Transparent, Hardware Buffer-Overflow Protection , 2006, IEEE Transactions on Dependable and Secure Computing.

[14]  Ian Sommerville,et al.  Software engineering, 8th Edition , 2007, International computer science series.

[15]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[16]  Charles Miller,et al.  The Legitimate vulnerability market: the secretive world of 0-day exploit sales , 2007, WEIS.

[17]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[18]  David Rice,et al.  Geekonomics - The Real Cost of Insecure Software , 2007 .

[19]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[20]  A. Takanen,et al.  Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures , 2007 .

[21]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.