Modern fuzz testing is one of the most effective methods to find bugs and vulnerabilities in software. It is so effective because it runs the application with dynamic inputs to provoke unexpected or erroneous behavior. Modern fuzzing engines can also retrieve feedback from previous inputs to generate new and more advanced fuzzing queries. They are optimized to improve your code coverage and detect all types of bug classes.
Since 2018, Code intelligence provides a platform for automated fuzz testing. Working closely together with industry and academia, the engineers at Code Intelligence were able to extend the reach of modern fuzz testing to a variety of different use cases. In this article, you will find an overview of some of the bug classes that the CI team found over the past years.*
* Please note that for confidential reasons, not all findings are included in this blog. If you are interested in a specific bug class, please contact our experts.
Bugs and CWE's Found Through Code Intelligence Fuzzing in C/C++
CWE-119 | Improper Restriction of Operations Within the Bounds of a Memory Buffer | CWE-416 | Use After Free |
CWE-823 | Use of Out-of-Range Pointer Offset | CWE-476 | NULL Pointer Dereference |
CWE-786 | Access of Memory Location Before Start of Buffer | CWE-590 | Free Memory Not on the Heap |
CWE-680 | Integer Overflow to Buffer Overflow | CWE-362 | Signal Handler Race Condition |
CWE-466 | Return of Pointer Value Outside of Expected Range | CWE-366 | Race Condition Within a Thread |
CWE-787 | Out-of-Bounds Write | CWE-367 | Time-of-Check Time-of-Use (TOCTOU) Race Condition |
CWE-125 | Out-of-Bounds Read | CWE-368 | Context Switching Race Condition |
CWE-129 | Improper Validation of Array Index | CWE-421 | Race Condition During Access to Alternate Channel |
CWE-193 | Incorrect Calculation of Buffer Size | CWE-1223 | Context Switching Race Condition |
CWE-193 | Off-by-One Error | CWE-662 | Improper Synchronization |
CWE-195 | Signed to Unsigned Conversion Error | CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
CWE-839 | Numeric Range Comparison Without Minimum Check | CWE-562 | Return of Stack Variable Address |
CWE-843 | Access of Resource Using Incompatible Type ("Type Confusion") | CWE-587 | Assignment of a Fixed Address to a Pointer |
CWE-1257 | Improper Access Control Applied to Mirrored or Aliased Memory Ranges | CWE-588 | Attempt to Access Child of a Non-Structure Pointer |
CWE-190 | Integer Overflow or Wraparound | CWE-1102 | Reliance on Machine-Dependent Third-Party Components |
CWE-20 | Improper Input Validation | CWE-1105 | Insufficient Encapsulation of Machine-Dependent Functionality |
CWE-415 | Double Free |
What Bugs Can You Find With Fuzzing in C/C++?
Memory Buffer Errors
- Buffer Overflow
- Incorrect Calculation of Buffer Size
- Free of Memory not on the Heap
- Integer Overflow to Buffer Overflow
- Access of Memory Location Before Start of Buffer
- Improper Access Control Applied to Mirrored or Aliased Memory Regions
- Improper Handling of Overlap Between Protected Memory Ranges
- Double-Free
- Out-of-bounds Read
- Out-of-bounds Write
- Dangling pointer
Data Validation Issues
- Out-of-bounds array index
- Object Type Confusion
- Improper Input Validation
Pointer Issues
- Return of Pointer Value Outside of Expected Range
- NULL Pointer Dereference
- Assignment of a Fixed Address to a Pointer
- Attempt to Access Child of a Non-structure Pointer
- Untrusted pointer offset
Numeric Errors
- Integer Overflow or Wraparound
- Off-by-five
- Numeric Range Comparison Without Minimum Check
Concurrency Issues
- Signal Handler Race Condition
- Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)
- Race Condition within a Thread
- Time Of Check To Time Of Use
- Race Condition During Access to Alternate Channel
- Context Switching Race Condition
- Race Condition for Write-Once Attributes
- Improper Synchronization
Bad Coding Practices
- Return of Stack Variable Address
- Reliance on machine-dependent Data Representation
- Use of platform-dependent Third Party Components
Info Box: Fuzzing With SanitizersSome bugs can not be detected by fuzzing alone. To trigger these more complex vulnerabilities, you will have to use additional sanitizers. For example, ThreadSanitizer for race conditions, or AddressSanitizer for memory buffer errors. These sanitizers are software libraries that you compile into your code to make your program crash more often. The CI Fuzz testing platform can help you to set up and configure those sanitizers, in order to improve your code coverage. Click here to learn more about sanitizers. |
What Bugs Can You Find With Fuzzing in Java?
Fuzz testing is also an effective approach for finding security vulnerabilities in memory-safe languages. With our fuzzing engine for Java, we regularly uncover all kinds of bugs in JVM-based customer projects. Here is a list of some typical bugs we find during security testing for Java applications:
Data Validation Errors
- Injection
- Exposure of Sensitive Information to an Unauthorized Actor
- XML External Entities (XXE)
- Sensitive Data Exposure
- Generation of Error Message Containing Sensitive Information
- Cross-Site Scripting XSS
Logic Issues
- Logic issue: bypass security features
Audit/Logging Errors
- Logging of Excessive Data
- Insufficient Logging
- Insufficient Logging & Monitoring
- Broken Authentication
- Broken Access Control
Cookie Issues
- Sensitive Cookie with Improper SameSite Attribute
- Sensitive Cookie Without 'HttpOnly' Flag
- Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Other Issues
- Denial of Service (DoS)
- Infinite Loop
- Security Misconfiguration
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Uncaught Exceptions
Although our fuzzing engine already uncovers a large variety of different bug classes, we are constantly improving and fine-tuning our platform, to make security testing more usable and accessible for everyone. For an in-depth look at the tech that Code Intelligence offers, you can check out our product tour or download one of our sample bug reports.