HotFuzz Support

News

2011-03-05: Source files are in SVN at SourceForge. Feel free to send patches :-)

2010-09-09: We have worked hard to bring you the first fully working version of our application. We are going to present it on 24th of September, so wish us good luck and definitely try out our product :-)

About

The goal of this project is to implement automatic fuzzing of known protocols.

Fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (e.g. crashes), the defects can be noted. Fuzzing is a favorite method of security researchers and plays a major role in quality assurance.

There are many fuzzers and fuzzing frameworks fuzzing frameworks available, both commercial and free. The IT security community suggests enhancing some of the existing tools instead of building yet another fuzzer/fuzzing framework. It has been decided that a fuzzer will be implemented as a proxy tool. There are commercial fuzzers which implement this feature, but none of the open-source fuzzers fully do.

As a basis for this project, the Peach fuzzing framework is used. To make HotFuzz understand existing protocols, Wireshark dissectors are used.

Given current features of Peach, a user would need to create a data model/state model in order to generate data (valid, to some extent). This process is considered labourintensive for some complex protocols.

Using HotFuzz project, data can be altered (fuzzed) in real time. Assuming the clientserver model, the client test program is configured to send traffic to HotFuzz, which works as a proxy and fuzzes the data. HotFuzz uses protocol dissectors to recognize data types used in the traffic and fuzzes the data accordingly.

Documentation

User manual (PDF)

Developer's guide (PDF)

Video (installation and use on three machines, 6:52) (37MB)

Video (installation and use on three machines, 6:52) - Vimeo

Video (installation and use on three machines, 6:52) - YouTube

Doxygen:

Links

The development team consists of five students of the Charles University in Prague

Please send any comments and bug reports to our mailing-list at hotfuzz-project@googlegroups.com or visit its archive.

HotFuzz wiki

Peach fuzzing framework homepage

Peach mailing-list

Peach SVN for checkout

Peach SVN for browsing

Download

You can download the latest HotFuzz Installer from SourceForge (Windows executable, recommended to install on a clean Windows XP machine).

The latest development version can be found at HotFuzz SVN at SourceForge.