Recently, I have read some documents and books about fuzzing. Many hackers and security testers have been using a fuzzer to find 0-day bugs. Many vulnerabilities on several platforms like windows, mac, ios and android were discovered and caught by fuzzing, also various good fuzzer platforms, such as sulley were developed and opened for us.
Developing a simple fuzzer is not a hard matter, many sources can help to making generate test data, input the data through target’s interface and monitoring crashes. But making it smart is up to you.
I introduce some reference for fuzzing, and I will update frequently for us.
1. Gray Hat Python: Python Programming for Hackers and Reverse Engineers by Justin Seitz(http://amzn.com/1593271921)
– I use Python for fuzzing. This book includes developing debugger and fuzzer using Python. It has the powerful example to build a fuzzer, and the usage of sulley framework.
2. Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene and Pedram Amini(http://amzn.com/0321446119)
– It can help to understand basic of fuzzing and how working various type of fuzzer(file, web, network and others) and the usage, I recommend it for fuzzer starter.
3. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities by Mark Dowd, John McDonald and Justin Schuh(http://amzn.com/0321444426)
– When you start fuzzing, previously you have to understand vulnerabilities and security architecture. This book can help to learn various vulnerabilities and you can use it for making exploit.
4. iOS Hacker’s Handbook by Charlie Miller, Dion Blazakis, Dino Dai Zovi and Stefan Esser(http://amzn.com/1118204123)
– Some chapters in the book mentioned iPhone fuzzing, and it can help to understand fuzzing on smart devices. An author of this book, Charlie Miller, he did various fuzzing case and presented it at the many seminar like Blackhat.
1. Windows Kernel Font Fuzzing and Exploitation, Lee Ling Chuan & Chan Lee Yee, PacSec 2012
– Slide : http://www.f13-labs.net/pacsec2012/PacSec2012_Lee_Chan.pdf
– Video : http://www.youtube.com/watch?v=veHPuaiXBI0
# Slide and video are not matched, but both deal with Kernel Font fuzzing