密码学报2024,Vol.11Issue(3):504-520,17.DOI:10.13868/j.cnki.jcr.000693
密码算法库模糊测试技术研究综述
Overview of Cryptographic Library Fuzz Testing Techniques
摘要
Abstract
The cryptographic algorithm library is a fundamental software library that provides various cryptographic related functions such as encryption,decryption,signature,and verification.In order to ensure the security of network transmission,many system software use cryptographic algorithm libraries to protect data security,to ensure that data is not maliciously stolen or exploited.However,in the implementation process of cryptographic algorithm libraries,vulnerabilities are often introduced,which can lead to memory crashes or encryption logic failures when using functions in the library,greatly affecting the security and availability of the system.Fuzz testing is an effective technique for detecting software implementation vulnerabilities.It generates a large amount of test inputs,observes the feedback of the tested software,and then detects the vulnerabilities.This technology has been applied in cryptographic algorithm libraries,and many vulnerabilities have been discovered in commonly used cryptographic algorithm libraries such as OpenSSL,SymCrypt,and Crypto++.This paper analyzes the main difficulties in conducting efficient testing on cryptographic algorithm libraries,proposes the requirements for conducting fuzz testing on cryptographic algorithm libraries,and presents the main challenges faced by cryptographic algorithm library fuzz testing tools.This paper also analyzes and evaluates the 6 commonly used fuzz testing tools for cryptographic algorithm libraries.Finally,based on the performance of current tools in evaluating metrics such as vulnerability mining ability,code coverage,and input validity,this paper proposes some possible research directions and optimization strategies for fuzz testing of cryptographic algorithm libraries.关键词
模糊测试/密码算法库/漏洞挖掘Key words
software testing/cryptographic library/vulnerability detection分类
信息技术与安全科学引用本文复制引用
马福辰,周远航,陈元亮,颜臻,姜宇,孙家广..密码算法库模糊测试技术研究综述[J].密码学报,2024,11(3):504-520,17.基金项目
国家重点研发计划(2022YFB3104000)National Key Research and Development Program of China(2022YFB3104000) (2022YFB3104000)