Application of Fuzzing Technique in Testing the Reference Implementation of SPDM

  • Thiago D. Ferreira USP
  • Renan C. A. Alves USP
  • Bruno C. Albertini USP
  • Marcos A. Simplicio Jr. USP
  • Daniel M. Batista USP
DOI: https://doi.org/10.5753/sbseg_estendido.2024.243284

Abstract


Automated tests performed during software development are capable of finding flaws early, preventing vulnerabilities ranging from denial of service to privilege escalation. In particular, these automated tests can be performed using the fuzzing technique, which coordinates the sending of unexpected inputs to the software under test. This paper presents preliminary results of spdmfuzzer, a fuzzer developed to test the reference implementation of the Security Protocols and Data Models (SPDM), a protocol that enables hardware and firmware attestation. In its current publicly available version, spdmfuzzer has already been able to find unexpected behaviors in the protocol implementation.

References

AFL (2021). Fuzzing with afl-fuzz — AFL 2.53b documentation. [link]. Acessado em 2 de Julho de 2024.

Alves, R. C. A., Albertini, B. C., and Simplicio, M. A. (2022). Securing Hard Drives with the Security Protocol and Data Model (SPDM). In 2022 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pages 446–447.

Chen, Y., lan, T., and Venkataramani, G. (2019). Exploring effective fuzzing strategies to analyze communication protocols. In Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation, FEAST’19, page 17–23, New York, NY, USA. Association for Computing Machinery.

Cremers, C., Dax, A., and Naska, A. (2023). Formal analysis of SPDM: Security protocol and data model version 1.2. In 32nd USENIX Security Symposium (USENIX Security 23), pages 6611–6628, Anaheim, CA. USENIX Association.

DMTF (2019). Security Protocol and Data Model Specification (SPDM). [link]. Acessado em 1 de Julho de 2024.

DMTF (2020). Security Protocol and Data Model Specification (SPDM). [link]. Acessado em 3 de Julho de 2024.

DMTF (2021). This openspdm is a sample implementation for the DMTF SPDM specification. [link]. Acessado em 1 de Julho de 2024.

DMTF (2024a). DMTF/libspdm. [link]. Acessado em 2 de Julho de 2024.

DMTF (2024b). Security Protocols and Data Models Working Group. [link]. Acessado em 2 de Julho de 2024.

Ferreira, T. D., Freitas, O. F., Alves, R. C. A. A., Simplicio, M. A., Albertini, B. C., and Batista, D. M. (2024). SPDM-WiD: Uma Ferramenta para Inspeção de Pacotes do Security Protocol Data Model (SPDM). In 2024 SBC Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC). [link]. Acessado em 2 de Julho de 2024.

Li, R., Diao, W., Li, Z., Du, J., and Guo, S. (2021). Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings. In 2021 IEEE Symposium on Security and Privacy (SP), pages 70–86.

OSS-Fuzz (2023). OSS-Fuzz — Documentation for OSS-Fuzz. [link]. Acessado em 2 de Julho de 2024.

Rodriguez, L. G. and Batista, D. M. (2021). Towards Improving Fuzzer Efficiency for the MQTT Protocol. In 2021 IEEE Symposium on Computers and Communications (ISCC), pages 1–7.

Rodriguez, L. G. A. and Batista, D. M. (2023). Resource-Intensive Fuzzing for MQTT Brokers: State of the Art, Performance Evaluation, and Open Issues. IEEE Networking Letters, 5(2):100–104.

SPDM-WiD (2024). SPDM (Security Protocol Data Model) dissector and packet exporter for Wireshark. [link]. Acessado em 2 de Julho de 2024.
Published
2024-09-16
How to Cite

Select a Format
FERREIRA, Thiago D.; ALVES, Renan C. A.; ALBERTINI, Bruno C.; SIMPLICIO JR., Marcos A.; BATISTA, Daniel M.. Application of Fuzzing Technique in Testing the Reference Implementation of SPDM. In: WORKSHOP ON SCIENTIFIC INITIATION AND UNDERGRADUATE ONGOING WORKS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2024 . p. 328-334. DOI: https://doi.org/10.5753/sbseg_estendido.2024.243284.

Most read articles by the same author(s)

1 2 > >>