2011-03-05: Source files are in SVN at SourceForge. Feel free to send patches :-)
2010-09-09: We have worked hard to bring you the first fully working version of our application. We are going to present it on 24th of September, so wish us good luck and definitely try out our product :-)
The goal of this project is to implement automatic fuzzing of known protocols.
Fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (e.g. crashes), the defects can be noted. Fuzzing is a favorite method of security researchers and plays a major role in quality assurance.
There are many fuzzers and fuzzing frameworks fuzzing frameworks available, both commercial and free. The IT security community suggests enhancing some of the existing tools instead of building yet another fuzzer/fuzzing framework. It has been decided that a fuzzer will be implemented as a proxy tool. There are commercial fuzzers which implement this feature, but none of the open-source fuzzers fully do.
Given current features of Peach, a user would need to create a data model/state model in order to generate data (valid, to some extent). This process is considered labourintensive for some complex protocols.
Using HotFuzz project, data can be altered (fuzzed) in real time. Assuming the clientserver model, the client test program is configured to send traffic to HotFuzz, which works as a proxy and fuzzes the data. HotFuzz uses protocol dissectors to recognize data types used in the traffic and fuzzes the data accordingly.
User manual (PDF)
Developer's guide (PDF)Doxygen:
The development team consists of five students of the Charles University in Prague
Please send any comments and bug reports to our mailing-list at firstname.lastname@example.org or visit its archive.