-2

What is the relationship between fuzzing and buffer overflow and does fuzzing leads to buffer overflow? Is buffer overflow a subset of fuzzing?

Nathan Aw
  • 1
  • 7
  • 12
  • 1
    Did you look this up? I googled "What is the relationship between fuzzing and buffer overflow" and got *many* tutorials explaining it. The answer below simply references Wikipedia. Please do at least ***some*** research before posting here. Your question is posed as if you do not know what the terms mean. – schroeder Feb 01 '22 at 08:29
  • 1
    "Fuzz testing is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications. " -- [oss-fuzz from a paper you presented to OWASP in November](https://github.com/nathanawmk/oss-fuzz). Can you explain the basis and motivation for your question? You have me very confused because it seems as though you already have this knowledge and authoritative sources for answers. – schroeder Feb 01 '22 at 09:12
  • If you are trying to create, what we call canonical questions, this is not the way to do it. Usually, you post in Meta to get community feedback on the necessity for such canonical questions, and then an agreed-upon approach. Throwing dozens of ill-formed questions in the queue just generates noise. – schroeder Feb 01 '22 at 09:49

1 Answers1

2

To understanding the relationship one has to first understand what fuzzing and buffer overflow are in the first place. In short:

  • Fuzzing is (automatically) trying to trigger various program path usually using variations of input - in the hope to stumble into something which was not properly implemented like missing or incomplete input checks.
  • Buffer overflow is a very specific vulnerability which can be triggered by unexpected input. But buffer overflow is not the only kind of vulnerability for unexpected input.

Based on this fuzzing can be used to detect buffer overflows - but also other vulnerabilities. And not all buffer overflows might be detected by fuzzing. And neither is fuzzing the only way to detect buffer overflows.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • See my comment above. I'm not sure how to proceed. – schroeder Feb 01 '22 at 09:33
  • @schroeder: Your comment about the OP not doing the basic research reflects my thinking too. I don't feel the question as a duplicate though of a question asking what fuzzing is because the OP would need to know both what fuzzing is and what buffer overflows are to understand the relation :) – Steffen Ullrich Feb 01 '22 at 09:36
  • It's not just the lack of research, but having the answers in-hand already. – schroeder Feb 01 '22 at 09:37
  • He's a member of OWASP and has presented several security papers. Including one that explained fuzzing ... https://owasp.org/www-chapter-singapore/assets/presos/Supply_Chain_Security_Securing_your_NPM,_PyPI,_Maven_and_Crates_(Rust),_Shift_Left_with_Gitops_and_Software_Fuzzing.pdf – schroeder Feb 01 '22 at 09:44