Effectiveness of fuzz testing high-security applications

Abstract: Fuzzing is a testing methodology that is receiving increased attention in the field of software security. The methodology is interesting because almost anyone can download a fuzzer and search for bugs in large and well-tested programs or libraries. This thesis is a case study which examines the efficiency of fuzzing a library with high security requirements. It was decided that the Mbed TLS, an open source SSL library, would be fuzzed using AFL, a state of the art fuzzer. The steps required to use AFL to fuzz Mbed TLS are outlined along with the results the study yielded. The fuzzing process did not succeed in finding input that causes crashes. However, there was a clear contrast between the results of the two fuzzed components of the library, and ultimately considered inconclusive primarily due to the fuzzing process being too time-consuming. The thesis is concluded by acknowledging the major takeaways and suggestions for future work.