Browse Prior Art Database

FoS - Fuzz on Stress

IP.com Disclosure Number: IPCOM000220569D
Original Publication Date: 2012-Aug-07
Included in the Prior Art Database: 2012-Aug-07
Document File: 4 page(s) / 135K

Publishing Venue

Microsoft

Related People

Xinli Shang: INVENTOR [+8]

Abstract

Fuzz testing is an effective technique for uncovering software security issues that are not found by stress and feature tests. However, designing, developing and running fuzz tests requires significant time, effort and costly test environment. The invention, FoS, Fuzz on Stress, converts stress tests into fuzz tests automatically at run time with fuzz-strength. Fuzz-strength is a configuration parameter which defines the probability that data from a test application will be fuzzed prior to passing it along to the system under test. FoS enables the test to have both stress and fuzzing functionality at the same time. Combining randomness from fuzzing and concurrency, while stressing the system, will further load the product under test and exercise new code paths. This can uncover issues not found by independently running stress and fuzz test passes.

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 41% of the total text.

Document Author (alias)

Xinlis

Defensive Publication Title 

FoS - Fuzz on Stress

Name(s) of All Contributors

Xinli Shang (xinlis)

Herb Stokes (hestokes)

Seth Hummel (sethh)

Charlie Hu (charlieh)

Hiroaki Takamatsu (hirota)

Baris Saydag (msaydag)

Joseph Donahue (josdon)

Gregor Harrison (gregorh)

Summary of the Defensive Publication/Abstract

Fuzz testing is an effective technique for uncovering software security issues that are not found by stress and feature tests. However, designing, developing and running fuzz tests requires significant time, effort and costly test environment.  The invention, FoS, Fuzz on Stress, converts stress tests into fuzz tests automatically at run time with fuzz-strength.  Fuzz-strength is a configuration parameter which defines the probability that data from a test application will be fuzzed prior to passing it along to the system under test.  FoS enables the test to have both stress and fuzzing functionality at the same time. Combining randomness from fuzzing and concurrency, while stressing the system, will further load the product under test and exercise new code paths. This can uncover issues not found by independently running stress and fuzz test passes.

 

Description:  Include architectural diagrams and system level data flow diagrams if: 1) they have already been prepared or 2) they are needed to enable another developer to implement your defensive publication. Target 1-2 pages, and not more than 5 pages.  

Fuzz testing is effective at uncovering security issues that cannot be uncovered by stress and feature tests in software testing. However, designing and developing fuzz tests from scratch requires significant time and effort, and running fuzz tests requires a separate costly test environment from that of feature tests, a trait that is shared with stress. Due to the cost and complexity of running a separate fuzz test pass, many organizations either do not have them for all of the their products or they tend to run these tests late in the development cycle.  This leaves a residue of unfound defects in products that are not fuzz tested and substantially increases the cost of repairing such defects in either case.  Due to the long run-times of stress tests, another shared trait with fuzzing, most mature organizations do run stress tests more or less continuously throughout the development cycle.  Combining stress with fuzz testing may find defects neither form of testing could find independently of each other.

The invention, FoS, converts stress tests into fuzz tests, with the specified fuzz-strength, automatically at run time.  Fuzz-strength is a configuration parameter which defines the probability that data from a test application will be fuzzed prior to passing it along to the system under test.  For example, if fuzz strength is 45%, it means 45% of the stress traffic will be fuzzed, thus enabling fuzz testing to piggy-back on the stress test with little or no reduction in system load and providing...