At wolfSSL, we pride ourselves on offering the Best-Tested SSL/TLS library on the market. We’re able to do so by conducting regular, diligent, and well-planned testing to maintain a robust and secure library. wolfSSL knows that it is impossible to test every single possible path through the software, but opts to practice an approach that is focused on lowering risk of failure. wolfSSL implements an extensive internal testing plan that not only uses automated testing, but makes sure to test well-known use cases. A key process in wolfSSL’s internal testing plan is Fuzz Testing.
What is Fuzz Testing?
Fuzz testing, also known as fuzzing, is an automated software testing technique that is conducted to reveal coding errors and security loopholes in softwares, networks, or operating systems. A fuzz test is a technique that is widely used to discover defects which otherwise would not be identified by merely using traditional functional testing methods. Fuzzing is a black box testing technique that bombards a library with invalid, unexpected, or random data (known as fuzz to the system) in an attempt to expose inputs that cause the system to crash, fail in unexpected ways, or leak memory. This allows wolfSSL to catch bugs that could turn into potential vulnerabilities before they are able to make it into a release!
Fuzzing at wolfSSL
wolfSSL was the first TLS to adopt fuzz testing, and firmly believes that if a TLS and cryptography provider does not do fuzz testing, they are extremely exposed. wolfSSL runs 7 internal fuzz testers nightly to ensure the most secure library on the market. wolfSSL tests using several different software fuzzers, including:
- an in-memory fuzzer (managed by wolfSSL)
- a network fuzzer (managed by wolfSSL)
- OSS-fuzz (service to run tests provided by Google, tests created by wolfSSL and Guido)
- libfuzzer (tests created and ran by wolfSSL)
- tlsfuzzer (project from https://github.com/tlsfuzzer/tlsfuzzer, test is ran by wolfSSL)
- AFL (tests created and ran by wolfSSL)
- Third-party fuzz testing from Robert Horr
As a testament to wolfSSL’s commitment to security, highly respected external testers are utilized when possible. Some of our partners include Guido Vranken in Holland and Robert Horr of T-Systems in Germany. (Check out their guest blog posts: Fuzzing for wolfSSL by Guido Vranken, and Modern testing of the wolfSSL TLS library by Robert Horr).
As stated in the wolfSSL 2019 Annual Report, wolfSSL is the best-tested cryptography on market, more so than OpenSSL, due to consistent implementation of additional fuzz testing resources from both internal and external sources.
For further details regarding the internal wolfSSL process of testing to ensure code quality and security, please reference this blog page.
If there are any specific questions about how wolfSSL tests, please contact our team at facts@wolfssl.com. If there is a desire to include other SSL/TLS or crypto implementations in wolfSSL interop testing, please let us know. Likewise, if users would like to include wolfSSL in their own test framework, we would be happy to discuss!