Fuzzing refers to a process of altering the data of valid test cases and program input (collectively, “fuzzed test data”), so as to generate new test cases. Fuzzed test data may be fuzzed to test a variety of different types of software or components. Typically, the fuzzing process is automated, guided by alterations programmed by a human tester. The fuzzing process may include running a series of simulated attacks against a component under test, with a view toward discovering flaws or bugs in the component under test.
As additional background and context on fuzzing, “dumb” fuzzing techniques do not inspect the data that is being fuzzed, and randomly alters or generates values to be fed to the components under test. On the other hand, “smart” fuzzing techniques attempt to inspect the layout of the data that is being fuzzed, so that the fuzzed data may look more correct. In this manner, the fuzzed data may pass restrictive parsing or filtering before reaching the components under test.
Generative fuzzing is a process in which data is created without any valid data as a baseline for fuzzing, although a schema may represent any format to which the fuzzed data is to conform. Mutilation fuzzing involves modifying and mutilating already valid data, in an effort to create additional test cases.
Previous fuzzing architectures typically include different components that perform various functions related to the overall fuzzing operation. These previous architectures may not enable these different components into communicate with one another. Because of this shortcoming, it may be difficult for testers to determine when a bug has been located, or to isolate which fuzzed traffic caused a particular problem
Additionally, existing fuzzing techniques may not collect into one location all of the data that results from the fuzzing operations. Thus, it may be difficult to correlate the results from a variety of different test runs, and determine which set of test conditions caused a particular error to occur. In the context of testing an application in, for example, a client-server environment, a server application may be tested by submitting a large number of test requests to it. If one of these numerous requests crashes the server or causes the server to fail, it may be difficult to isolate which particular request, sequence of requests, or other circumstances led to the failure.