ABSTRACT
Present day software testing demands effective ways to find software vulnerabilities through testing. This is especially true in case of network security that employ digital certificates for authentication. Digital certificates are the de-facto standard for verification of users and an integral part of public key infrastructure used to secure channels of communication within networks. An effective approach to testing digital certificates is to implement protocol based fuzzing. Fuzzing in general terms is the process of inserting high volume of invalid or random inputs into a program with the aim of obtaining unexpected results, thus identifying errors and potential vulnerabilities. This paper aims to introduce a protocol aware, user friendly graphical user interface (GUI) based digital certificate fuzzing tool. The tool aims to provide an effective means of black box testing through the use of mutation based fuzzing and OpenSSL to create digital certificates with user provided test-case specific fields. The fuzzed certificates are used as inputs in order to expose defects in digital certificate validation systems.
- Sutton, M., Greene, A., and Amini, P. Fuzzing: Brute Force Vulnerability Discovery, Addison--Wesley Professional, United States, 2007. Google ScholarDigital Library
- Schwartz, E.J., Avgerinos, T., and Brumley, D. "All you ever wanted to know about dynamic taint analysis and forward symbolic execution", In IEEE Symposium on Security and Privacy, IEEE Computer Society, 2010, pp. 317--331. Google ScholarDigital Library
- RFC 5280- Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) ProfileGoogle Scholar
- RFC 5246- Transport Layer Security Protocol Version 1.2Google Scholar
- Citrix NetScaler- https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-netscaler-application-delivery-controller-at-a-glance.pdf as accessed in June 2016.Google Scholar
- Fuzzing: The State of the Art by Richard McNally, Ken Yiu, Duncan Grove and Damien Gerhardy - Command, Control, Communications and Intelligence Division of Defence Science and Technology Organization of Australia, DSTO-TN-1043.Google Scholar
- A Comparative Study of White Box, Black Box and Grey Box Testing Techniques(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 3, No.6, 2012.Google Scholar
- Miller, C., and Peterson, Z. N.J. Whitepaper on "Analysis of mutation and generation based fuzzing", Independent Security Evaluators March 2007.Google Scholar
- Revolutionizing the field of grey-box attack surface testing with evolutionary fuzzing, by Jared DeMott, Dr. Richard Enbody, Dr. William Punch, Black Hat, DEF CON 2007.Google Scholar
- Finding Software Vulnerabilities by Smart Fuzzing, by Sofia Bekrar,Chaouki Bekrar, Roland Groz, Laurent Mounier,2011 Fourth IEEE International Conference on Software Testing, Verification and Validation. Google ScholarDigital Library
- Protocol Fuzzing past present and future by Luiz Eduardo Hack in the box 2007.Google Scholar
- "Minimum Edit Distance" by Dan Jurafsky, Stanford University Natural Language Processing.Google Scholar
Recommendations
Reducing certificate revocation cost using NPKI
Sec '01: Proceedings of the 16th international conference on Information security: Trusted information: the new decade challengeProblems with certificate revocation status control limit the deployment of Public Key Infrastructure (PKI). Classical certificate paths require revocation control of all certificates on the path. In this paper, we show how the recently proposed NPKI (...
Instant certificate revocation and publication using WebDAV
The 2007 European PKI Workshop: Theory and Practice (EuroPKI'07)There are several problems associated with the current ways that certificates are published and revoked. This paper discusses these problems, and then proposes a solution based on the use of WebDAV, an enhancement to the HTTP protocol. The proposed ...
X.509 Certificate Error Testing
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityX.509 Certificates are used by a wide range of technologies to verify identities, while the SSL protocol is used to provide a secure encrypted tunnel through which data can be sent over a public network. Combined both of these technologies provides the ...
Comments