Fuzzing: A Solution Chosen by the FDA to Investigate Detection of Software Vulnerabilities

What is Fuzz Testing? Fuzz testing is a type of negative software testing. In contrast to positive software testing, during which one tests whether the software is behaving as it should, negative testing seeks to check whether the software doesn’t behave the way it’s not supposed to. Fuzz testing typically applies test vectors that are almost correct, such as an invalid packet-length field in an otherwise perfectly-formed IP packet. This method could be compared with someone telling a story that has enough valid facts to make it believable but also contains a few parts that are incorrect. The listener hears and accepts the entire story (or data packet) without questioning it. In fuzz testing, the “test” is to see if these almost-correct packets cause the device to behave unacceptably. To learn about applying fuzz testing and features of a good fuzzer, please refer to the article by Knudsen1 on page 48 of this issue of Horizons.