What is Fuzzing?
Computer programs are subject to various vulnerabilities and bugs. Depending on how complex these programs are, such vulnerabilities may not easily be discernable even with the use of common dynamic analysis techniques – that is, techniques that are used to examine a program using real-time data. This is where the concept of fuzzing comes into play. Fuzzing is the automated process of randomly generating semi-valid inputs in order to test a program for edge and corner cases. Simply put, it’s a way of testing for unusual behavior(bugs) in a program. Bugs that tend to show up when a program’s variables are pushed to their highest allowable limits.
How does Fuzzing work?
Fuzzing works on programs that have a structure for determining valid and invalid inputs. A good fuzzer generates semi-valid inputs – inputs that have just the right amount of “valid” to be accepted by the parser and just the right amount of “invalid” to provoke unexpected behaviors. By this, a fuzzer is able to expose exploitable vulnerabilities in a program. Fuzzers are therefore very essential when dealing with Blockchains and the Smart Contracts that run on them.
Fuzz testing in Blockchain
Traditionally, a Smart Contract – which is a protocol that manages accounts on a Blockchain – is immutable. This means that once the code is written and deployed, it can’t be changed. This feature is a double-edged sword because, on one hand, the immutable nature of Smart Contracts keeps them safe from hackers to a high-level, but on the other hand, the inability to push updates to the protocol means that any bugs discovered can’t be fixed. This is why Smart Contracts should only be coded by experienced programmers. Even experienced programmers can have bugs in their code. Fuzzing is a way to identify those outlier bugs, and because it tests a massive number of random scenarios, it is very well suited for debugging Smart Contracts before they are deployed. This type of debugging using fuzzers can very well help prevent major catastrophes – such as the Ethereum DAO hack – that exploit vulnerabilities in Smart Contracts.
The fate of Fuzz testing in blockchains
With recent advancements in machine learning algorithms – programs that self improve from experience – fuzzers are being made to work in synergy with machine learning programs. Fuzzers can be integrated with machine learning algorithms to enhance their accuracy in the identification of exploitable vulnerabilities . Regular fuzzers are able to identify numerous unexpected scenarios. But not all of these scenarios are a problem, some are features. And of the cases where bugs are identified, not all of the identified bugs pose risks. So there is usually a need for a classification system to categorize the different types of bugs identified by the fuzzers. Machine learning programs are able to automate the process of identification and classification of the outputs of fuzzing, thereby speeding up the process and enhancing accuracy.
Currently, the idea of fuzzing as a software testing technique is received with a mixed reception amongst enterprises, due largely to the fact that fuzzers deal with huge amounts of inputs and data, making them time and resource consuming. But with the integration of machine learning algorithms, and fuzzing-as-a-service platforms aimed at Smart Contracts such as Echidna and Harvey, the future seems bright for Fuzzers. There is a likelihood for increased adoption of blockchain by governments, banks, and enterprises because of the mitigating effect of Fuzzing on the risks associated with Blockchain technology.