Go to OpenReview Public Article ORCID homepageEnhancing Differential Fuzzing of Cryptographic Libraries with Sustainable Hybrid Fuzzing and Crypto-Specific Mutation
Abstract: Cryptographic libraries are essential to any system, safeguarding privacy and protecting data from cyber threats. However, the structured input requirements and the inherent complexity of cryptographic algorithms pose significant challenges in vulnerability detection. Cryptofuzz is an ongoing project that supports various cryptographic libraries for differential fuzzing. It has proven effective by discovering bugs in multiple cryptographic libraries through differential fuzzing. Cryptofuzz-standalone, another cryptographic library fuzzer, is effective through hybrid fuzzing without the need for custom mutators, compared to Cryptofuzz. However, we found that Cryptofuzz-standalone is not always effective for exploring cryptographic libraries because it does not generate the structured inputs required by these libraries. In this paper, we introduce Cryptofuzz++, which integrates hybrid fuzzers with AFL++ to enhance fuzzing efficiency. In addition, we implement a custom mutator designed to generate structured inputs specifically for cryptographic algorithms, addressing the limitations of existing research. Our results show that Cryptofuzz++, utilizing the AFL++ fuzzing engine in hybrid fuzzing and also the custom mutator, achieves vulnerability detection 30 times faster and up to 204.31% higher code coverage compared to previous methods. We also conducted a large-scale experiment to find the optimal combination of AFL++ optimization techniques that can most effectively explore cryptographic libraries.
External IDs:doi:10.1007/978-981-96-5566-3_10
Loading