• Title/Summary/Keyword: Differential Fuzzing

Search Result 2, Processing Time 0.02 seconds

Security Verification of Korean Open Crypto Source Codes with Differential Fuzzing Analysis Method (차분 퍼징을 이용한 국내 공개 암호소스코드 안전성 검증)

  • Yoon, Hyung Joon;Seo, Seog Chung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.30 no.6
    • /
    • pp.1225-1236
    • /
    • 2020
  • Fuzzing is an automated software testing methodology that dynamically tests the security of software by inputting randomly generated input values outside of the expected range. KISA is releasing open source for standard cryptographic algorithms, and many crypto module developers are developing crypto modules using this source code. If there is a vulnerability in the open source code, the cryptographic library referring to it has a potential vulnerability, which may lead to a security accident that causes enormous losses in the future. Therefore, in this study, an appropriate security policy was established to verify the safety of block cipher source codes such as SEED, HIGHT, and ARIA, and the safety was verified using differential fuzzing. Finally, a total of 45 vulnerabilities were found in the memory bug items and error handling items, and a vulnerability improvement plan to solve them is proposed.

The Status Quo and Future of Software Regression Bug Discovery via Fuzz Testing (퍼즈 테스팅을 통한 소프트웨어 회귀 버그 탐색 기법의 동향과 전망)

  • Lee, Gwangmu;Lee, Byoungyoung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.31 no.5
    • /
    • pp.911-917
    • /
    • 2021
  • As software gets an increasing amount of patches, lots of software bugs are increasingly caused by such software patches, collectively known as regression bugs. To proactively detect the regressions bugs, both industry and academia are actively searching for a way to augment fuzz testing, one of the most popular automatic bug detection techniques. In this paper, we investigate the status quo of the studies on augmenting fuzz testing for regression bug detection and, based on the limitations of current proposals, provide an outlook of the relevant research.