Computer software applications that read and process input data supplied by an external source, i.e. data not under the control of the software application, may be vulnerable to error or attack by corrupted or specifically malformed input data. Such applications include, but are not limited to, productivity-type applications that read input files with user-created data, network modules that receive input data over a network connection, and the like. These vulnerabilities may not be found through traditional testing methodologies used during development of the application software that test the application software using conditions generated from knowledge of the application source code, boundary conditions, parameter values, and the like.
Additional testing of the application software may be accomplished utilizing fuzzing mechanisms that randomly modify or “fuzz” the contents of input data to the application in order to test the response of the application to corrupt or malformed data. However, many large and complex applications may have countless numbers of input data parsing routines located deep in the programmatic structure of the application. Randomly fuzzing every potential byte of a large set of input data in an attempt to test a particular parsing routine may be time consuming and impractical. Further, because many applications have high-level syntactical checks to validate the structure of the input data, randomly changing multiple bytes of the input data may ensure that the deeper input data parsing routines are never touched by the fuzzed input data.
It is with respect to these considerations and others that the disclosure made herein is presented.