CLFuzz: Vulnerability Detection of Cryptographic Algorithm Implementation via Semantic-aware Fuzzing

2Citations
Citations of this article
7Readers
Mendeley users who have this article in their library.

Abstract

Cryptography is a core component ofmany security applications, and flaws hidden in its implementation will affect the functional integrity or, more severely, pose threats to data security. Hence, guaranteeing the correctness of the implementation is important. However, the semantic characteristics (e.g., diverse input data and complex functional transformation) challenge those traditional program validation techniques (e.g., static analysis and dynamic fuzzing). In this article, we propose CLFuzz, a semantic-aware fuzzer for the vulnerability detection of cryptographic algorithm implementation. CLFuzz first extracts the semantic information of targeted algorithms including their cryptographic-specific constraints and function signatures. Based on them, CLFuzz generates high-quality input data adaptively to trigger error-prone situations efficiently. Furthermore, CLFuzz applies innovative logical cross-check that strengthens the logical bug detection ability. We evaluate CLFuzz on the widely used implementations of 54 cryptographic algorithms. It outperforms state-ofthe-art cryptographic fuzzing tools. For example, compared with Cryptofuzz, it achieves a coverage speedup of 3.4× and increases the final coverage by 14.4%. Furthermore, CLFuzz has detected 12 previously unknown implementation bugs in 8 cryptographic algorithms (e.g., CMAC in OpenSSL and Message Digest in Sym-Crypt), most of which are security-critical and have been successfully collected in the national vulnerability database (7 in NVD/CNVD) and is awarded by the Microsoft bounty program (2 for $1,000).

Cite

CITATION STYLE

APA

Zhou, Y., Ma, F., Chen, Y., Ren, M., & Jiang, Y. (2023). CLFuzz: Vulnerability Detection of Cryptographic Algorithm Implementation via Semantic-aware Fuzzing. ACM Transactions on Software Engineering and Methodology, 33(2). https://doi.org/10.1145/3628160

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free