Security News > 2023 > January > Vulnerabilities in cryptographic libraries found through modern fuzzing

Recently patched vulnerabilities in MatrixSSL and wolfSSL, two open-source TLS/SSL implementations / libraries for embedded environments, have emphasized the great potential of using fuzzing to uncover security holes in implementations of cryptographic protocols.

Fuzzing cryptographic libraries to flag security flaws.

"Computer software is becoming more complex. So, it is almost impossible to perform a complete source code review with reasonable coverage. For this reason, modern fuzzing methods are used to discover vulnerabilities," Deutsche Telekom's security evaluators explained.

"Code coverage based fuzzing combined with the AddressSanitizer is a powerful method to discover e.g., buffer overflows. With increasingly complex source codes, it is a resource-efficient alternative to source code reviews, because this fuzzing approach can be done mainly automatically. As there exist many approaches for fuzzing, it is the art of fuzzing to find the best approach," Hörr and Ibrahim noted.

In an excellent write-up, Ammann went more in-depth about some of the discovered vulnerabilities and how the fuzzer found "Weird states" and allowed them to find their source.

"It is challenging to fuzz implementations of cryptographic protocols. Unlike traditional fuzzing of file formats, cryptographic protocols require a specific flow of cryptographic and mutually dependent messages to reach deep protocol states," he explained.

News URL

https://www.helpnetsecurity.com/2023/01/13/fuzzing-cryptographic-libraries/