For the yearly migration to the insanity of Vegas infosec and hacking conferences, we’re coming with some new research that we’ll present at all the three sacred sites: Black Hat, then BSides, and finally at Defcon‘s Crypto Village. Automated Testing of Crypto Software Using Differential Fuzzing is a joint work with Yolan Romailler, whose masters thesis consisted in developing CDF, a tool that I started working on more than a year ago and first presented at WarCon 2016.
The goal of CDF is to uncover crypto vulnerabilities that aren’t detected by typical “test vectors” nor by dumb fuzzing, with much lower effort than with a manual audit or formal verification, as the scientific graph below shows:
We’ll release CDF after our Black Hat talk. CDF is a program written in Go that tests a crypto functionality (say, ECDSA) by comparing two implementations of the said functionality and doing a bunch of tests to evaluate their behavior on edge cases, the ranges of parameters supported, their compliance with standards, potential timing leaks, and so on. CDF runs on Linux/macOS/Windows and can test any executable program (native code, VM bytecode, scripts).
If you’re going to Black Hat this year and are interested in discussing research and development, please feel free reach out to Andrew Howard or Ryan Spanier from Kudelski Security R&D services for a one-on-one meeting.