Fuzz testing and DDoS attacks

Fuzz testing is an excellent security testing technique for increasing the robustness of software, ensuring it is defensively programmed to mitigate denial-of-service attacks. By bombarding software with malformed inputs until it crashes, fuzzing uncovers vulnerabilities and weaknesses. It’s an industry-recognized technique for ensuring the security, reliability, and robustness of embedded devices, especially in the Industrial Control Systems (ICS) space. In fact, Defensics fuzz testing is an ISASecure-certified communication/system robustness testing tool.

Not only is fuzzing well-known in ICS, but we argue that it’s becoming increasingly relevant and necessary in IoT. In Underwritings Laboratory’s (UL) overview of their UL 2900-2-3 standards, they shared the following sobering statistics:

More than 357 million new malware variants were observed in 2016.

6 million bots were observed in 2016, an uptick of 6.7 million in just 1 year.

IoT devices were attacked on average once every 2 minutes.

Forrester’s TechRadar™: Application Security, Q3 2017 report anticipates changes in the application security testing (AST) market that address the alarming statistics above. The author, Amy DeMartine, observes:

Fuzz testing tools…analyze output to determine whether an application demonstrates security, reliability, and robustness. However, unlike DAST tools, fuzz testing tools doesn’t employ crawlers; instead, they use data generators to create combinations of known dangerous values and random data. Although traditionally used for network protocol testing, fuzz testing is gaining traction for testing IoT applications, which can be difficult or even impossible to crawl.

Fuzz testing has a number of prominent champions, including Linus Torvalds from the Linux Foundation. In a recent release notification, he revealed that fuzzing has helped produce a steady stream of security fixes for Linux kernel version 4.14. Torvalds’ endorsement of fuzzing is especially relevant for IoT: Linux is one of the most popular operating systems used in embedded and IoT devices. And Defensics is no stranger to Linux. Earlier this year, Defensics uncovered three critical unknown vulnerabilities in the Linux kernel.