Patrick Clark Undergraduate Dissertation 2016/17

Department of Computer Science

Patrick Clark Undergraduate Dissertation 2016/17

Comparing Fuzzing and Static Analysis Testing for finding Vulnerabilities

Supervised by A.Brucker

Abstract

Since the Internet has existed computer security has been prominent. The idea that hackers will always be pushing for new ways to break programs, results in the continuous advancement of computer security. Every few years OWASP (Open Web Application Security Project) releases the top 10 most critical security flaws. Alongside this, the Mitre Cooperation release the CWE SANS Top 25 Most Dangerous Software Errors. These two lists helps warn organisations of the most potent application security threats, so that they know what to look out for. What they also need are methods to aid them in finding the security flaws in their software. The most recent listings show a trend in implementation vulnerabilities as being the most potent attacks. Security testing is a technique that analyses code in order to fi nd and fix vulnerabilities in a program. There are a number of security testing methods available. This project focuses on two popular methods of testing; fuzz testing and static analysis testing to compare the different vulnerabilities that each of them finds, to ascertain which technique is most appropriate at finding particular vulnerabilities.