Fuzzing para o Protocolo TLS: Estado da Arte e Comparação de Fuzzers Existentes
Abstract
Among the various ways to verify the implementation of a protocol, fuzzing tests are worth mentioning, given the good results achieved in recent years both in terms of covering the code that implements a protocol and in terms of finding bugs that can cause security breaches. This paper presents preliminary findings resulting from the investigation of existing fuzzers for the TLS protocol, with the ultimate objective of modifying one of them for testing a new security protocol. It is shown that not all existing fuzzers are functional and that, among those that actually work, the tlsfuzzer deserves attention as the one to be adapted to verify the implementation of the SPDM protocol.
References
Alves, R. C. A., Albertini, B. C., and Simplicio, M. A. (2022). Securing Hard Drives with the Security Protocol and Data Model (SPDM). In 2022 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pages 446–447.
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., and Zinzindohoue, J. K. (2017). A Messy State of the Union: Taming the Composite State Machines of TLS. Commun. ACM, 60(2):99–107.
DMTF (2020). Security Protocol and Data Model Specification (SPDM). [link]. Acessado em 17 de Julho de 2023.
DMTF (2021). This openspdm is a sample implementation for the DMTF SPDM specification. [link]. Acessado em 17 de Julho de 2023.
DMTF (2023). Security Protocols and Data Models Working Group. [link]. Acessado em 17 de Julho de 2023.
Li, R., Diao, W., Li, Z., Du, J., and Guo, S. (2021). Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings. In 2021 IEEE Symposium on Security and Privacy (SP), pages 70–86.
Rodriguez, L. G. A. and Batista, D. M. (2023). Resource-Intensive Fuzzing for MQTT Brokers: State of the Art, Performance Evaluation, and Open Issues. IEEE Networking Letters, 5(2):100–104.
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., and Zinzindohoue, J. K. (2017). A Messy State of the Union: Taming the Composite State Machines of TLS. Commun. ACM, 60(2):99–107.
DMTF (2020). Security Protocol and Data Model Specification (SPDM). [link]. Acessado em 17 de Julho de 2023.
DMTF (2021). This openspdm is a sample implementation for the DMTF SPDM specification. [link]. Acessado em 17 de Julho de 2023.
DMTF (2023). Security Protocols and Data Models Working Group. [link]. Acessado em 17 de Julho de 2023.
Li, R., Diao, W., Li, Z., Du, J., and Guo, S. (2021). Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings. In 2021 IEEE Symposium on Security and Privacy (SP), pages 70–86.
Rodriguez, L. G. A. and Batista, D. M. (2023). Resource-Intensive Fuzzing for MQTT Brokers: State of the Art, Performance Evaluation, and Open Issues. IEEE Networking Letters, 5(2):100–104.
Published
2023-09-18
How to Cite
VELOZO, Filipe T.; FERREIRA, Thiago D.; PACHECO, Eduardo F.; ALVES, Renan C. A.; SIMPLICIO JR., Marcos A.; ALBERTINI, Bruno C.; BATISTA, Daniel M..
Fuzzing para o Protocolo TLS: Estado da Arte e Comparação de Fuzzers Existentes. In: WORKSHOP ON SCIENTIFIC INITIATION AND UNDERGRADUATE WORKS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 23. , 2023, Juiz de Fora/MG.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
p. 303-308.
DOI: https://doi.org/10.5753/sbseg_estendido.2023.235133.
