FuzzEval: Assessing Fuzzers on Generating Context-Sensitive Inputs
S Mahmudul Hasan, Polina Kozyreva, Endadul Hoque
TL;DR
This paper evaluates eleven fuzzers' effectiveness in generating context-sensitive inputs for cryptographic testing, revealing their limitations and guiding future improvements in fuzzing techniques for security protocols.
Contribution
It provides a comprehensive assessment of fuzzers' ability to handle context-sensitive inputs in cryptographic testing, highlighting current limitations and performance differences.
Findings
Fuzzers vary significantly in input validity and diversity.
Most fuzzers struggle with context-sensitive input generation.
The study identifies key areas for improving fuzzing techniques.
Abstract
Cryptographic protocols form the backbone of modern security systems, yet vulnerabilities persist within their implementations. Traditional testing techniques, including fuzzing, have struggled to effectively identify vulnerabilities in cryptographic libraries due to their reliance on context-sensitive inputs. This paper presents a comprehensive evaluation of eleven state-of-the-art fuzzers' ability to generate context-sensitive inputs for testing a cryptographic standard, PKCS#1-v1.5, across thirteen implementations. Our study reveals nuanced performance differences among the fuzzers in terms of the validity and diversity of the produced inputs. This investigation underscores the limitations of existing fuzzers in handling context-sensitive inputs. These findings are expected to drive further research and development in this area.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsBig Data and Business Intelligence · Data Visualization and Analytics