Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.6.1225

Security Verification of Korean Open Crypto Source Codes with Differential Fuzzing Analysis Method  

Yoon, Hyung Joon (Kookmin University)
Seo, Seog Chung (Kookmin University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.6, 2020 , pp. 1225-1236 More about this Journal
Abstract
Fuzzing is an automated software testing methodology that dynamically tests the security of software by inputting randomly generated input values outside of the expected range. KISA is releasing open source for standard cryptographic algorithms, and many crypto module developers are developing crypto modules using this source code. If there is a vulnerability in the open source code, the cryptographic library referring to it has a potential vulnerability, which may lead to a security accident that causes enormous losses in the future. Therefore, in this study, an appropriate security policy was established to verify the safety of block cipher source codes such as SEED, HIGHT, and ARIA, and the safety was verified using differential fuzzing. Finally, a total of 45 vulnerabilities were found in the memory bug items and error handling items, and a vulnerability improvement plan to solve them is proposed.
Keywords
Software Testing; Differential Fuzzing; Cryptographic Library; Vulnerability;
Citations & Related Records
연도 인용수 순위
  • Reference
1 S. Embleton, S. Sparks, and R. Cunningham, "sidewinder: An evolutionary guidance system for malicious input crafting," in Proceedings of the Black Hat USA, 2006.
2 Valentin Jean Marie Manès, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz and Maverick Woo, "The Art, Science, and Engineering of Fuzzing:A Survey," IEEE Transactions on Software Engineering, pp. 1-21, Oct. 2019.
3 OpenSSL, "OpenSSL Cryptography and SSL/TLS Toolkit", https://www.openssl.org, Oct. 2020.
4 HeartBleed, "HeartBleed CVE-2014-01 60", https://heartbleed.com, Oct. 2020.
5 OpenSSL, "OpenSSL Vulnerabilities", https://www.openssl.org/news/vulnerabilities.html, Oct. 2020.
6 Github, "American Fuzzy Lop", https://github.com/google/afl, Oct. 2020.
7 Github, "LibFuzzer", http://llvm.org/docs/LibFuzzer.html, Oct. 2020
8 M. Aizatsky, K. Serebryany, O. Chang, A. Arya and M. Whittaker, "Announcing OSS-Fuzz: Continuous fuzzing for open source software," Google Testing Blog, 2016.
9 Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida and Herbert Bos, "VUzzer: Application-aware Evolutionary Fuzzing," NDSS, Vol. 17, pp. 1-14, Feb. 2017.
10 Peng Chen and Hao Chen, "Angora: Efficient fuzzing by principled search," 2018 IEEE Symposium on Security and Privacy (SP), pp. 711-725, May. 2018
11 Github, "Honggfuzz", https://github.com/google/honggfuzz, Oct. 2020.
12 Github, "Wycheproof", https://github.com/google/wycheproof, Oct. 2020.
13 Muhammad Ali Gulzar, Yongkang Zhu and Xiaofeng Han, "Perception and Practices of Differential Testing," 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), pp. 71-80, May. 2019.
14 Shirin Nilizadeh, Yannic Noller and Corina S. Pasareanu, "DifFuzz: Differential Fuzzing for Side-Channel Analysis," ICSE '19: Proceedings of the 41st International Conference on Software Engineering, pp. 176-187, May. 2019.
15 FSEC, "Threats and countermeasures for using open source SW", https://www.fsec.or.kr/user/bbs/fsec/42/312/bbsDataView/539.do, Oct. 2020.
16 Jean-Philippe Aumasson and Yolan Romailler, "Automated Testing of Crypto Software Using Differential Fuzzing," Blackhat USA 2017, Jul. 2017.
17 CryptoFuzz, "Differential fuzzing of cryptographic libraries", https://guidovranken.com/2019/05/14/differential-fuzzing-of-cryptographic-libraries/, Oct. 2020.
18 KISA, "KISA Seed Algorithm", https://seed.kisa.or.kr/kisa/index.do, Oct. 2020
19 KISA, "Software development security guide for e-government software developers and operators", https://www.kisa.or.kr/public/laws/laws3_View.jsp?mode=view&p_No=259&b_No=259&d_No=50, Oct. 2020.
20 KISA, "Development trend of security weakness analysis tool for public source code", https://www.kisa.or.kr/public/library/IS_View.jsp?mode=view&p_No=158&b_No=158&d_No=161, Oct. 2020.
21 Github, "MbedTLS", https://github.com/ARMmbed/mbedtls, Oct. 2020.
22 MITRE, "CVE-2015-7547", https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547, Oct. 2020.
23 Github, "Address Sanitzier", https://github.com/google/sanitizers/wiki/AddressSanitizer, Oct. 2020.
24 David J Day, Zhengxu Zhao and Minhua Ma, "Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems," 2010 Fourth International Conference on Digital Society (IEEE), pp. 127-177, Mar. 2010.
25 Erik Buchanan, Ryan Roemer, Stefan Savage and Hovav Shacham, "Returnoriented Programming: Exploitation without Code Injection," in Proceedings of Black Hat USA 2008, Aug. 2008.
26 MITRE, "CVE-2016-0778", https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778, Oct. 2020.
27 Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," SSYM'98: Proceedings of the 7th conference on USENIX Security Symposium vol.7, pp. 1-16, Jan. 1998.
28 Jonathan Ganz and Sean Peisert, "ASLR: How Robust Is the Randomness?," 2017 IEEE Cybersecurity Development (SecDev), pp.34-41, Sep. 2017.
29 Alexande Sotirov, "Heap Feng Shui in JavaScript," in Proceedings of Black Hat Europe 2007, Jul. 2007.
30 MITRE, "CVE-2015-3079", https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3079, Oct. 2020.
31 Valgrind, "Valgrind", https://valgrind.org, Oct. 2020.
32 MITRE, "CVE-2019-1543", https://www.openssl.org/news/secadv/20190306.txt, Oct. 2020.
33 MITRE, "CVE-2020-5183", https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5183, Oct. 2020.