A Retrospective Analysis of a Rapid Review on Fuzz Security Testing for Software Implementation of Communication Protocols

A Retrospective Analysis of a Rapid Review on Fuzz Security Testing for Software Implementation of Communication Protocols

연구 분야: Infrastructure

학회: SN Computer Science

Software implementations of communication protocols connect systems and services by allowing them to exchange data and information. The increasing request of secure connectivity and communication highlights the relevance of automated security testing techniques, such as fuzzing, to be applied during the software development. This paper provides the results of a retrospective analysis conducted on a rapid review about fuzz security testing for software implementations of communication protocols. By extending and generalizing the analysis documented in an existing work, this paper aims at collecting and presenting emerged evidences that: (a) characterize the target software implementations to be tested; (b) investigate what are the existing fuzzing testing techniques; and (c) explore which of them are supported by available tools. Our analysis, based on the examination of 80 scientific sources, conducted us to identify several evidences: (i) the existing fuzz techniques are mainly black-box, require execution samples (e.g., traces) to be applied, use mutation-based data generation strategies, and analyze the responses of the target software implementation under test to detect potential vulnerabilities; (ii) recent trends show that deep-learning techniques are applied in generative fuzz techniques and that protocol state-coverage is used to collect feedback while exercising the system under test; (iii) the detected vulnerabilities are mainly related to memory management and input data validation; and (iv) most of the existing fuzz techniques are not supported by available tools, thus hampering their adoption.