There are a plethora of fuzzers available nowadays that target everyday network protocols and file formats. These fuzzers thoroughly iterate through their targeted protocols and files, and act as a valuable resource for stress testing as well.

There are two genres of fuzzers; specialized and generic (aka ‘dumb’) fuzzers. Specialized fuzzers are designed for specific targets. E.g. for a range of email servers like Microsoft Exchange, Sendmail, qmail etc., a specialized SMTP fuzzer would be invaluable. Conversely, ‘dumb’ fuzzers are used for arbitrary protocols and file formats as well as performing simple and non-protocol mutations.

At times, programmer may need more customized and thorough fuzzing for the purpose of performing on propriety and untested protocols, even if the dumb fuzzers could effectively be used against various common applications. It is times like these that the significance of Fuzzing Frameworks is realized and in this document we shall look at some of the most popular and potent Fuzzing Frameworks available in the public domain.

What is a Fuzzing Framework?

Apart from the language platform, way of abstraction, designing and orientation, a fuzzing framework always comes with the central goal of providing fuzzer developers with a quick, flexible, reusable and homogenous development environment. A good fuzzing framework abstracts and minimizes a number of different tasks like converting network traffic into framework compatible format.

A functional framework should include Automatic length calculation e.g TLV (type, length, value), ASN, CRC calculations and many other algorithms. If automatic length calculation is not performed correctly, communication will be failed to get observed. If the CRC is not correctly updated it will void all fuzzing efforts.

Generating Pseudo random data, including an assured list of attack heuristics like format string and directory traversal should be a feature of good framework. A good framework should be able to detect its fault as soon as the target fails to setup a connection. While making a framework more advanced, it should fairly be ensured that the framework allows the fuzzer to directly communicate with a debugger that is being attached to the target.

In addition to this, an advance fuzzing framework should include an interface designed for communicating with a metric gathering tool. Lastly in an advanced framework there are facilities that carry out code reuse at its maximum by making creating developed components that are readily available for future use.

Existing Frameworks

Antiparser

Antiparser is a fuzz testing and fault injection API. Its goal is to provide an API that can be used to model network protocols and file formats by their composite data types. Once an instance has been created it works as a container. All data objects in the container have its own properties and thus they can be saved and used later on when needed.

Although this framework is simple and beneficial for simple fuzzers, it doesn’t support complex tasks. The ratio of framework specific code versus generic code is low in antiparser. It lacks automated methods that are considerably important for a good framework. It has a single version 2.0 that released in August 2005.

Dfuz

To uncover a range of vulnerabilities that are affecting Microsoft, Ipswitch, and RealNetworks, Dfuz fuzzing network was designed, actively maintained and frequently updated. Capable of running on UNIX/Linux operating system, Dfuz exposes a custom language for developing new fuzzers. Though it is not the most advanced fuzzer but it is simple and easy to use and understand.

Defuz comprises of some basic components ranging from data, functions and lists to options protocols and variables. These components are used to define a set of rules that parse to generate and transmit data. Unlike antiparser, Dfuz is a self contained fuzzer.

Through, custom scripting language data can be represented in multiple ways and multiple data definitions can be declared using comma separator. Basic components combined with some additional directives that create a rule file.

Dfuz is a simple and powerful fuzzing framework having a relatively quick learning curve and fast development time. Accomplishing fuzzer development in its own scripting language has both pros and cons. It is positive in that non programmers can fuzz and describe protocols and negative in that experienced programmers can not have benefits from the basic powers or features of a mature programming language. Dfuz has a better code reusability but it lacks a strong set of attack heuristics.

Spike

Spike, the most commonly used framework, is an API for quick and efficient network protocols. It has been released under a favorable license i.e. GNU general public license that enables programmer creation of SpikeFile, a repurposed version. Spikes are basically blocks of protocol data structures which are broken down containing both binary data and the size of the block. It enhances the abstraction with the help of automatic calculation of size.

Using spike, programmers can design and model arbitrarily complex protocols. As spike is documented very scattered it has lead to confusion among different researchers that it cannot prevent others from reducing systems information assurance. Spike is basically a Unix supported fuzzer but it can run on Windows using cygwin. Even a very simple change in framework requires recompilation which definitely could be a major drawback. Code reusability is a manual task and new elements could not be defined simply but globally across the framework.

Spike despite being an effective fuzzer has some shortcoming as it includes many useful utilities like proxy and fuzz communications. Its block based technique has been adopted by a number of frameworks making it quite popular.

Peach

Peach, released by IOACTIVE in 2004, is a cross platform framework having the most flexible architecture with code reusability technique. Basic components include generators, transformers, protocols, publishers and groups. Every component has a particular function.

Generators basically generate data from simple strings to complex binary messages. Combination of generators simplifies complex data types and abstraction allows code reusability. Data could be changed by transformers. It can be combined with other transformers and bounded to a generator. Once implemented, it also helps in code reusability. Values produced by a generator stepped through by a group that contains one or more generators. Script object serving as an additional component reduces the redundancy of code.

Another drawback is that this framework is not that much intuitive because it takes longer to develop a new fuzzer as compared to other frameworks. As an initial step individual subcomponents are being focused and then combining them to develop a complete fuzzer that is helpful to a programmer with the facility of code reusability. With proper installation of Python it can be run from any environment. Though Peach is advancing theoretically but there is no proper documentation.

General Purpose Fuzzer

GPF, available as an open source designed for Unix environment, is a generic fuzzer designed to generate infinite number of mutations. The basic advantage of GPF is that it takes less time to get fuzzer up and run. GPF basic modes include PureFuzz, convert, GPF (main mode), PatternFuzz and Super GPF.

PureFuzzer is as easy to use as attaching a device to a socket. Convert translates libcap files into GFP file, generated by Ethereal or Wireshark. GPF main mode controls number of protocol attacks. PatternFuzz is the most distinct mode because it automatically tokenizes and fuzz protocols. SuperGPF detects whether a socket endpoint has been targeted for fuzzing or not. But it fuzzes ASCII protocols only.

One has to learn significantly as it is complex to work on. On the other hand it is extensible and flexible too. Automatically processing and fuzzing empowers it in against with other frameworks.

Autodafe

Autodafe, a next version of SPIKE, uses a block based approach to fuzz both network protocols and file formats. The main goal is to reduce the size and complexity, focusing on most resulted problems. When once implemented, it can be iterated through different HTTP mutations.

An interesting technique named Markers technique decides the importance of each fuzz variable as there could be hundreds of fuzz variables making test cases double, so important test cases containing important fuzz variables have to be sorted out. Autodafe includes a debugger named adbg to set breakpoints. It is the first framework that explicitly includes a debugger. Additional tools PDML2AD, TXT2AD and ADC are used to make development quick and efficient.

It has many pros and cons same as of Spike. Its debugging feature makes it quite distinguishable but even then, lack of Windows support and recompilation on even simple modifications might make it fail.