Overview
Learn about differential fuzzing, a novel approach to systematically test cryptographic software, in this 36-minute Black Hat conference talk. Explore how this method differs from general-purpose software fuzzing by focusing on logic bugs rather than memory corruption issues. Discover the principles behind testing hash functions, PRNGs, and encryption algorithms using this technique. Gain insights into the Crypto Differential Fuzzing (CDF) tool and its applications for testing various cryptographic primitives, including ECDSA and RSA encryption. Examine real-world findings, timing leak detection, and general observations from implementing this approach. Enhance your understanding of automated testing in cryptography and its potential to improve software security.
Syllabus
Intro
Roadmap
Testing crypto
Testing what?
Automated testing
Approach: differential fuzzing
New tool from old ideas
Principle for hash functions, PRNG
Principle for encryption
A new tool: CDF
CDF - Crypto Differential Fuzzing
So you want to test ECDSA
Generic ECDSA Interface in CDF
CDF interfaces
Simplest case keyed hash PRF, MAC
Example of ECDSA test
RSA encryption
Timing leaks detection
Issues found
Findings summary
General observations
Conclusions
Taught by
Black Hat