Mini fuzz testing

Sep 16, 2009 12:19 GMT  ·  By

Not comfortable with fully fledged fuzz testing? Then Microsoft might just have the right alternative for you. Of course, if you don’t even know what fuzz is, chances are that you won’t need either a full fuzzer or the mini version that the Redmond company is offering as a standalone download. MiniFuzz, up for grabs via the Microsoft Download Center since September 15th, 2009, is a basic fuzzer offered by the software giant in an effort to spread the usage of fuzz testing among software developers. While fuzz testing can be used to secure applications, many developers choose to ignore the security aspect of their software completely, and using a fuzzer might be last on their priority list. A list that Microsoft hopes to change with the delivery of MiniFuzz.

“MiniFuzz is a very simple fuzzer designed to ease adoption of fuzz testing by non-security people who are unfamiliar with file fuzzing tools or have never used them in their current software development processes,” reads the description from the Redmond company. “MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors.”

According to the software giant, developers will be able to use MiniFuzz with Windows 7, Windows Vista and Windows XP. While the MiniFuzz moniker might not do the tool justice, fact is that the solution is perfectly capable of bombarding applications with invalid input in the search for unexpected exceptions. Fuzzing, or fuzz testing, is the security practice of hammering away at an application with random data as input. The software is subsequently analyzed in order to pinpoint behavior that might leave end users exposed to risks. Because of the large quantities of data involved in fuzzing, the process is, as a rule, automated.

“To set up MiniFuzz: Run the MiniFuzz Setup.msi. See the Help documentation included in the MiniFuzz application for further details on configuring and using MiniFuzz. You can run the following command-line scripts to automatically create the appropriate registry settings: REG add "HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting" /f REG add "HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting" /v DontShowUI /t REG_DWORD /d 1 REG add "HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting" /v ExcludedApplications /t REG_MULTI_SZ,” Microsoft explained.