Cdf - Crypto Differential Fuzzing


CDF is a tool to automatically attempt the correctness in addition to safety of cryptographic software. CDF tin dismiss observe implementation errors, compliance failures, side-channel leaks, in addition to thus on.
CDF implements a combination of unit of measurement tests amongst "differential fuzzing", an approach that compares the demeanor of unlike implementations of the same primitives when fed border cases in addition to values maximizing the code coverage.
Unlike general-purpose fuzzers in addition to testing software, CDF is:
  • Smart: CDF knows what form of algorithm it's testing in addition to adapts to the tested functions
  • Fast: CDF tests alone what needs to last tested in addition to parallelizes its tests equally much equally possible
  • Polyvalent: CDF isn't specific to whatever linguistic communication or API, but supports arbitrary executable programs or scripts
  • Portable: CDF volition run on whatever Unix or Windows platform, since it is written inwards Go without whatever platform-specific dependency
The purpose of CDF is to furnish to a greater extent than efficient testing tool to developers in addition to safety researchers, existence to a greater extent than effective than attempt vectors in addition to cheaper than manual audit of formal verification.
CDF was start presented at Black Hat USA 2017. You tin dismiss persuasion the slides of our presentation, which comprise full general information close the rationale behind in addition to the pattern of CDF.

Requirements
CDF is coded inwards Go, the electrical current version has been developed using Go 1.8. It has no dependencies exterior of Go's standard library.
However, nosotros furnish illustration programs to last tested using CDF, which are inwards C, Python, C++, Java in addition to Go in addition to require specific crypto libraries to last run. Currently required libraries are:

Build
make volition create the cdf binary.
Influenza A virus subtype H5N1 bunch of illustration programs are available nether example: make examples-all volition create all the examples, field make examples-go volition alone create the Go examples.
make test volition run unit of measurement tests (of CDF).

Usage
For starters you lot may desire to persuasion usage information past times running cdf -h.
You may thus endeavour an illustration such equally the rsaenc interface against the RSA OAEP Go in addition to CryptoPP examples. Viewing CryptoPP equally our reference, you lot tin dismiss attempt the Go implementation past times doing:
cdf rsaenc /examples/oaep_rsa2048_go /examples/oaep_rsa2048_cryptopp
This ascendence volition perform diverse tests specific to the rsaenc interface.
In this example, CDF should complain close the maximum populace exponent size the Go implementation support: if nosotros banking venture gibe by design in addition to volition probable non last changed.
Parameters are defined inwards config.json. Most parameters are self-explanatory. You may desire to laid others soul keys for rsaenc in addition to ecdsa (these interfaces are tested amongst fixed keys, although roughly primal parameters, such equally the exponents, are changed inwards roughly of the tests).
The seed parameter lets you lot alter the seed used inwards CDF's pseudo-random generators. (Yet, the tested computer programme may last using roughly PRNG seeded otherwise, similar the OAEP examples.) The concurrency parameter lets you lot laid the number of concurrent goroutine CDF should last spawning when forking the programs. Note that it is best to perish along this number below the existent number of cores. The verboseLog parameter, if laid to true, volition write all programs' inputs in addition to outputs, fifty-fifty for the succesful tests, to a file log.txt.

Interfaces
In lodge to attempt your software using CDF, you lot cause got to create a computer programme that reads input in addition to writes output inwards conformance amongst CDF interfaces, in addition to that internally calls the tested program. CDF interfaces are abstractions of a crypto functionality, inwards lodge to allow black-box testing of arbitrary implementations.
For example, if you lot implemented the ECDSA signature scheme, your computer programme should satisfies the ecdsa interface in addition to equally such convey equally inputs iv or v arguments, respectively inwards lodge to sign a message or verify a signature. These arguments are the populace X coordinate, the populace Y coordinate, the soul D large integer in addition to the message you lot desire to sign in addition to thus it should output alone the large integers R in addition to due south each on a newline. Or, to verify a message, it should convey X,Y, the R, the due south in addition to the message in addition to thus it should alone output True or False. The interfaces' specifications are detailled below.
Our examples of interface implementations volition aid you lot create your owns.
Error treatment is left to the tested program, silent to cause got meaningful errors inwards CDF it is best to move out on failure, render a mistake code in addition to impress an mistake message.
The interface computer programme tin dismiss last written inwards whatever language, it merely needs to last an executable file conformant amongst a CDF interface. An interface computer programme is typically written inwards the same linguistic communication equally the tested program, but that's non mandatory (it may last a wrapper inwards roughly other language, for illustration for Java programs).
CDF currently supports the next interfaces, wherein parameters are encoded equally hexadecimal ASCII strings, unless described otherwise:

dsa
The dsa interface tests implementations of the Digital Signature Algorithm (DSA). It must back upward the signature in addition to verification operations:
Operation Input Output
Signature p q g y x m r s
Verification p q g y r s m truth value
Here p, q, g are DSA parameters, y is a populace key, x is a soul key, one thousand is a message, r in addition to s shape the signature, which must returned separated past times a newline. The truth value, either “true” or “false”, is represented equally a string.
The dsa interface supports an optional test: the-h allows to bypass the hashing procedure in addition to straight furnish the hash value to last signed. This allows CDF to perform to a greater extent than tests, such equally checking for overflows or hash truncation.

ecdsa
The ecdsa interface tests implementations of the Elliptic Curve Digital Signature Algorithm (ECDSA). It must back upward the signature in addition to verification operations:
Operation Input Output
Signature x y d m r s
Verification x y r s m truth value
Here x in addition to y are a populace ECDSA primal coordinates, d is a soul key, one thousand is a message, in addition to r in addition to s shape the signature, which must last returned separated past times a newline. The truth value, either “true” or “false”, is represented past times a string.
The flag -h serves the same purpose equally amongst dsa.
Please banker's complaint that our electrical current pattern assumes a fixed curve, defined inwards the tested program.
To obtain reproducible results amongst those tests in addition to leverage all of CDF detection's abilities, you lot cause got to either seed you lot random generator amongst a fixed seed or utilisation a deterministic ECDSA variant, otherwise CDF can't observe problems such equally same tags issues automatically.

enc
The enc interface tests symmetric encryption in addition to decryption operations, typically when performed amongst a block cipher (stream ciphers tin dismiss last tested amongst the prf interface). It must back upward encryption in addition to decryption:
Operation Input Output
Encryption k m c
Decryption k c r
Here k is a key, one thousand is a message, c is a ciphertext c in addition to r is a recovered plaintext.

prf
The prf interface tests keyed hashing (pseudorandom functions, MACs), equally good equally current ciphers:
Operation Input Output
Computation k m h
Here k is a key, one thousand is a message (or nonce inwards illustration of a current cipher), in addition to h is the resultant of the PRF computation. Our interface assumes fixed primal size in addition to variable input lengths. If a specific primal is to last specified, it is the responsibleness of the tested computer programme to ignore the primal input or the xof interface may last a amend choice.

rsaenc
The rsaenc tests RSA encryption in addition to decryption, both OAEP (PKCS 2.1) in addition to PKCS 1.5:
Operation Input Output
Encryption n e m c
Decryption p q e d c r
Here n is a modulus, e is a populace exponent (for compatibility amongst for sure libraries, e is also needed for decryption), one thousand is a message m, p in addition to q are n's part (such that p > q, since libraries unremarkably require it), d is a soul exponent, in addition to r is a recovered plaintext.

xof
The xof interface tests hash functions, extendable-output functions (XOFs), deterministic random chip generators (DRBGs):
Operation Input Output
Computation m h
Here one thousand is the message in addition to h is the resultant h.

Authors
CDF is based on initial ideas past times JP Aumasson, start disclosed at WarCon 2016, in addition to most of the code was written past times Yolan Romailler.