SecFuzz

Main content

SecFuzz tests security protocol implementation for failures. SecFuzz uses a concrete protocol implementation for generating valid inputs for the SUT and then mutates them using a set of fuzz operators. The SUT is checked for failures using a dynamic memory analysis tools such as Valgrind and IBM's Rational Purify. SecFuzz is implemented in Python and relies on Scapy for parsing messages. Currently, the tool can fuzz-test IKE implementations, but it can be extended to other message formats due to Scapy's flexibility.

Author

Petar Tsankov

Papers

Title: SecFuzz: Fuzz-testing Security Protocols (PDF, 122 KB) (AST'12)

Authors: Petar Tsankov, Mohammad Torabi Dashti, David Basin

Downloads:

Software dependencies:

SVCov for IKE

Semi-valid input coverage (SVCov) is a coverage criterion for fuzz-testing. The criterion can be used whenever the SUT's valid inputs can be defined by a finite set of constraints. Constraints and the SVCov's implementation for the Internet Key Exchange protocol can be downloaded below.

Author

Petar Tsankov

Papers

Title: Semi-valid Input Coverage for Fuzz Testing (PDF, 504 KB) (ISSTA'13)

Authors: Petar Tsankov, Mohammad Torabi Dashti, David Basin

GPCFuzz

GPCFuzz is a tool for generating test cases for high SVCov.

Author

Tristan Buchs

Downloads

  • GPCFuzz
 
Page URL: http://www.infsec.ethz.ch/research/software/secfuzz.html
29.03.2017
© 2017 Eidgenössische Technische Hochschule Zürich