Why Fuzz images?

Question

I am reading about fuzzing. I have some basic questions regarding fuzzing. I searched but couldn't find any good explanation.

1. Why image files are popular and common for fuzzing? What is the benefit of using image files?
2. Why png files are popular and common for fuzzing?
3. Why Libpng is popular and common for fuzzing?
4. Is it best to fuzz png images with libpng for beginners? Why?

If someone can answer, it will be very helpful for me. Thank you in advance.

Answer 1

1. You fuzz not image files, but software that parses these. Typically developers don't write code to parse images, but use third party libraries like libpng. As a developer you don't need to fuzz third party libraries, only the code of your project. As a security engineer you can fuzz them.

   It is easy to setup fuzzing of such an opensource library - you can build it statically instrumented, create a small application that calls into it and fuzz it with an easy to setup fuzzer like afl. This and the fact that such libraries are widely used, thus errors in these can have big impact on a lot of applications, make them a good target for fuzzing.

   But image files are not the only files that are widely used and have popular libraries to handle them. Most fuzzers are unaware of input structure of the tested binary. They mostly use input mutation techniques at bit/byte level - changing values of some bit/byte of the input, feeding it to the tested application and watching it's behaviour. When the input is highly structured, a fuzzer fails to test deep into the code. For example to test a browser feeding html-files to it, requires a fuzzer to create inputs that have correct lexical and syntactical structure. Typically the code for lexical/syntax handling is autogenerated based on a language grammar. By changing bits/bytes in html you most likely get bad keywords, which would be rejected by such an autogenerated code, thus testing mostly this code and not getting deeper. Image files are typically not highly structured and easier to fuzz deeply, thus can be fuzzed with better coverage.

   It is also faster to fuzz a small input than a bigger one - less bits to change. It's easy to create a small image file just by taking a small image as a seed, than for example an html-file.

2. I don't know if png files are more popular for fuzzing than other binary media files, but they structure can include multiple headers/chunks of different types which results in more different handling paths in the code and thus makes it more likely to have errors.

3. As I said it's opensource, widely used, easy to set up and can be fuzzed fast - it's much faster to run a small application, than for example a browser.

4. I'm not sure there can be a 'best' criteria, but it's easy and therefore good for beginners.