Point Intervention: Improving ACVP Test Vector Generation Through Human Assisted Fuzzing

TL;DR

This paper introduces a hybrid fuzzing approach with human assistance to generate comprehensive ACVP test vectors, enhancing cryptographic library testing and vulnerability detection.

Contribution

It presents a novel hybrid fuzzing system that improves test coverage and provides a framework for secure, easy creation of cryptographic test modules.

Findings

Achieved higher coverage than existing fuzzing methods.

Detected vulnerabilities in NSS cryptographic library.

Suggested improvements for ACVP test format.

Abstract

Automated Cryptographic Validation Protocol (ACVP) is an existing protocol that is used to validate a software or hardware cryptographic module automatically. In this work, we present a system providing the method and tools to produce well-covering tests in ACVP format for cryptographic libraries. The system achieves better coverage than existing fuzzing methods by using a hybrid approach to fuzzing cryptographic primitives. In addition, the system offers a framework that allows to creates easily and securely create testing modules for cryptographic libraries. The work demonstrates how this system has been used to improve automated testing of NSS (Network Security Services), a popular cryptographic library, detect its vulnerabilities and suggest ways to improve and further develop the ACVP test format.