RubyConf: Iron Mongrel – Fuzzing
Zed Shaw, author of Mongrel, got an applause when introduced for this talk at RubyConf 2006. During this presentation, Zed talked about fuzzing. I am new to the ideas of fuzzing and I found this talk extremely interesting. One quick definition of fuzzing is to break a software system by handing it nasty maliciously crafted random input and events. One simple way of fuzzing is to always enter ‘yes’ on a console application and watch out for errors and exceptions. The basic theory behind fuzzing is that programmers will test using what they thing are valid inputs, but the programmer can’t predict user input out in the world. Unit tests are predicatable since a developer wrote the system, knows what to expect, and wrote test based on that. A fuzz test has no idea of your system. According to Zed, fuzzing is a great way to finalized vendor selection of two closed source third party software packages.
Zed has made available a Ruby fuzz gem known as RFuzz. RFuzz is made up of a randomness engine, data collection, and statistical analysis. When fuzzing a software system, you will usually need to do some analysis of the results to verify if a fix actually worked. After this talk I felt that maybe I should try to use RFuzz in JRuby to try to blow up our Java application.
Technorati Tags: ruby, rubyconf, rubyconf2006, rfuzz, fuzzing, testing, software analysis