The TrustInSoft Analyzer from C/C++ software source code analysis specialist TrustInSoft now features new technology that adds formal verification to the fuzzing process.
This is achieved by taking generated inputs and repurposing them to conduct deeper analysis, which can identify issues that traditional fuzzing does not. The result is software security verification with no false positives or negatives.
Fuzz testing, or fuzzing, is an automated approach to software testing. It involves the deliberate injection of invalid, malformed or unexpected inputs into a software system, with the aim of uncovering defects and vulnerabilities. Fuzzing tools are used to introduce these inputs into the system and subsequently monitor for any anomalies, such as system crashes or unauthorized information disclosure.
“Most fuzzing attempts to generate invalid, unexpected or completely random data to feed a given program in the hope of discovering any holes in its input verification. The aim is to detect situations when a program accepts an invalid input as valid when it actually shouldn’t,” said Fabrice Derepas, founder and CEO of TrustInSoft.
“Our high-performance, high-volume analysis technology achieves much deeper levels of verification, which were not previously possible. As a result, we offer a mathematically provable 100% guarantee that code tested with TrustInSoft Analyzer will contain none of the undefined behaviors that are included in the CWE Top 25 classification list.”
According to the company, its new fuzzing feature guarantees that fuzz testing results are valid for any compiler, any chosen set of compiler options and any memory layout.