142 Core Software Security
• Fuzz testing (black box). Fuzzing is a technique that is used to
detect faults and security-related bugs in software by providing
random inputs (fuzz) to a program. As opposed to static analysis,
where source code is reviewed line by line for bugs, fuzzing con-
ducts dynamic analysis by generating a variety of valid and invalid
inputs to a program and monitoring the results. In some instances,
the result might be the program crashing.
• Binary code analysis (black box). Binary code scanners analyze
machine code to model a language-neutral representation of the
program’s behaviors, control and data flows, call trees, and exter-
nal function calls. Such a model may then be traversed by an auto-
mated vulnerability scanner in order to locate vulnerabilities caused
by common coding errors and simple back doors. A source code
emitter can use the model to generate a human-readable source code
repre sentation of the program’s behavior, enabling manual code
review for design-level security weaknesses and subtle back doors
that cannot be found by automated scanners.
• Byte code analysis (black box). Byte code scanners are used just
like source-code security analyzers, but they detect vulnerabilities
in the byte code. For example, the Java language is compiled into
a platform-independent byte code format that is executed in the
runtime environment (Java Virtual Machine). Much of the infor-
mation contained in the original Java source code is preserved in
the compiled byte code, thus making de-compilation possible. Byte
code scanners can be used in cases where the source code is not
available for the software—for example, to evaluate the impact a
third-party software component will have on the security posture of
an application.
• Black box debugging (black box). Debuggers for low-level pro-
gramming languages such as C or ASM are software tools that
enable the tester to monitor the execution of a program, start and
stop a program, set breakpoints, and modify values. Debuggers are
typically used to debug an application when the source code or the
compiler symbols are available. The source-code and compiler sym-
bols allow information, the values of internal variable, to be tracked
to discover some aspect of internal program behavior. However,
sometimes only the binary is available, and the binary was com-
piled from code with no compiler symbols or debug flags set. This
is typical in commercial software, legacy software, and software that