Tag-Aware Text File Fuzz Testing for Security of a Software System

Among various security testing, fuzz testing is useful in finding a security hole in a software system. Fuzz testing is a method that inserts an unexpected data into input of a software system and finds defects of it. Traditionally, fuzz testing generates many errors of a software system because most of fuzz testing doesn´t consider formats of input. We propose a novel methodology that performs efficiently fuzz testing for text files by considering types of values in tags. A text file is a human-readable file, and consists of tags and data. When reading a text file, a software system parses values in tags and transfers values into parameters of parsing functions. Thus, we implement the algorithm in the tag-aware text file fuzz testing(TAF) that analyzes automatically types of values in tags of text files and inserts fault data into values with considering types of them. By doing this, TAF can cover all test cases as much as possible using a few fault-inserted file. We apply TAF to HTML document files saved in MS Excel application and evaluate them. Experimental result shows that TAF reduce efficiently the total number of fault-inserted files with covering all test cases.