eGMT-Fuzz: Format-Aware Deep Fuzzing of Cryptographic Protocols

Fuzzing has established itself as an everyday tool in the toolbox of the security-minded software developer. Fuzzers have proven especially effective in discovering vulnerabilities that are rarely triggered during regular program execution. Interactive cryptographic protocols, however, are challenging to fuzz. Messages in such protocols must pass cryptographic validation such as integrity and freshness checks, before execution can reach deeper portions of the protocol implementation code.In this paper, we present a black box mutation-based fuzzer for deep fuzzing of interactive cryptographic protocols. To create messages that mostly conform to the protocol syntax but are syntactically or semantically unexpected, we use syntax tree mutation. Our architecture includes a pluggable component that allows mutated inputs to pass protocol-specific cryptographic checks. We evaluate the efficacy of our fuzzer on an embedded Transport Layer Security (TLS) implementation, where we deeply fuzz both TLS handshake messages and X.509 public-key certificates, discovering several hard-to-reach vulnerabilities.