Development of a Multi-purpose Fuzzer to Perform Assessment as Input to a Cybersecurity Risk Assessment and Analysis System

TL;DR

This paper introduces a generalized multi-purpose fuzzer designed to test software and cyber-physical systems with configuration files, aiding cybersecurity risk assessment by detecting vulnerabilities and evaluating configuration impacts.

Contribution

It presents a novel, adaptable fuzzer capable of testing diverse systems and integrating with risk assessment frameworks, unlike specialized existing fuzzers.

Findings

Fuzzer effectively detects software bugs and vulnerabilities.

It models configuration impacts on device operations.

Performance assessments demonstrate its utility in cybersecurity analysis.

Abstract

Fuzzing is utilized for testing software and systems for cybersecurity risk via the automated adaptation of inputs. It facilitates the identification of software bugs and misconfigurations that may create vulnerabilities, cause abnormal operations or result in systems' failure. While many fuzzers have been purpose-developed for testing specific systems, this paper proposes a generalized fuzzer that provides a specific capability for testing software and cyber-physical systems which utilize configuration files. While this fuzzer facilitates the detection of system and software defects and vulnerabilities, it also facilitates the determination of the impact of settings on device operations. This later capability facilitates the modeling of the devices in a cybersecurity risk assessment and analysis system. This paper describes and assesses the performance of the proposed fuzzer technology. It also details how the fuzzer operates as part of the broader cybersecurity risk assessment and analysis system.