A Rapid Review on Fuzz Security Testing for Software Protocol Implementations

Abstract

Nowadays, devices and systems are always connected for providing everyday services. Hence, there is a growing interest concerning the adoption of secure software implementations of communication protocols that allow heterogeneous systems to exchange information and data. In the last decade, several approaches and techniques for applying fuzz security testing to such implementations have been proposed. Fuzz security testing is a promising approach to discover software vulnerabilities. It aims at exercising the implementation under test by means of unexpected and potentially invalid inputs and data, aiming at triggering misbehaviors, exceptions, and system crashes. This paper presents a Rapid Review (RR) conducted to study fuzz security testing for software implementations of communication protocols. The following evidences emerged from our RR: (i) Industrial Control System and Internet of Thing protocols are among the most studied ones; (ii) black-box fuzz security testing is frequently investigated and, often, the proposed approaches require protocol or data specifications as input; (iii) most of the detected vulnerabilities are related to memory management and, less frequently, to input and data management and validation, and (iv) only few tools are publicly available.