Subscribe by Email


Sunday, March 18, 2012

Explain the concepts of fuzz test technique?

WHAT IS FUZZ TESTING?

- Fuzz testing is the formal name for fuzzing which as we know is another software testing technique that involves playing with the software system or application using all types of possible invalid input test data.

- By the invalid input test data we mean it can be either unexpected data or random data i.e., any other type of test data other than the specified input data type.

- It is not necessary that the fuzz testing should always be automated; it can also be semi automatic though keeping the whole process fully automated consumes less time and effort.

- Semi automatic process is used only when there is manual interference required in the testing.

- After feeding the invalid input data to the software system or application, the behavior of the system is monitored for any exceptions like hanging, crashing or failing of the code assertions that are built in and also check for any memory leaks.

From the above discussions we can easily make out that the fuzz testing has been developed for testing of the security related issues of the software system or application. Till now two types of fuzz testing have been identified namely:

1. Mutation based testing
2. Generation based testing

CONCEPTS OF FUZZ TESTING

- Fuzz testing was developed to complement the negative testing and syntax testing.

- Both of the above types of the fuzz testing can be either employed as white box testing technique or black box testing technique or as a mix of the two techniques i.e., grey box testing.

- Whatever technique may be used, it is focussed up on the common target i.e., network protocols, file formats and so on.

- Though these two are the usually targeted elements, almost any type of input test data for the program can be subjected to the fuzz testing.

- The most common types of input data include:
1. Sequence of API calls
2. Environment variables
3. Mouse events
4. Keyboard events etc.

- Apart from just testing the input test data types, even some elements like shared memory, contents of a data base, interleaving of threads etc can also be tested by the fuzz test.

- But, usually the input that is able to cross the trust boundary of the security of the software system or application is targeted.

- Among all other approaches to fuzz testing, the one which is mostly preferred is the black box approach.

- This approach is mostly employed for the testing of large software projects having a budget for the development of the testing tools.

- Fuzz testing is included in the class of the software testing techniques that offer a high benefit – to – cost ratio.

- Like other software testing techniques, fuzz testing also has a drawback which is that it is able to develop only a sample of the behavior of the software system.

- In some rare cases, if the software passes the fuzz test, it merely indicates that only a part of the software system can effectively handle the unexpected input data types without any problem.

- This tells us that fuzz testing can be considered as an overall quality assurance factor and not merely just a bug finding tool.

- Fuzz testing is also not to be taken as a substitute neither for the formal methods nor for the exhaustive testing.

- It also gives us a gross measurement of the reliability of the software.

- Based on the results of the fuzz testing, it can be decided that which part needs a partial rewrite, static analysis or code audits.


No comments:

Facebook activity