All of the wolfSSL team prides themselves on offering the Best Tested SSL/TLS library on the market. wolfSSL is able to do so by conducting regular, diligent, and well-planned testing to maintain a robust and secure library. wolfSSL knows that it is impossible to test every single possible path through the software, but opts to practice an approach that is focused on lowering risk of failure. wolfSSL implements an extensive internal testing plan that not only uses automated testing but makes sure to test well-known use cases. A key process in wolfSSLs’ internal testing plan is Fuzz Testing.
What is Fuzz Testing?
Fuzz testing, also known as fuzzing, is an automated software testing technique that is conducted to reveal coding errors and security loopholes in softwares, networks, or operating systems. A fuzz test is a technique that is widely used to discover defects which otherwise would not be identified by merely using traditional functional testing methods. Fuzzing is a Black Box testing technique that bombards a library with invalid, unexpected, or random data (known as fuzz to the system) in an attempt to expose inputs that cause the system to crash, fail in unexpected ways, or leak memory. This allows wolfSSL to catch bugs that could turn into potential vulnerabilities before they are able to make it into a release!
Fuzzing at wolfSSL
wolfSSL firmly believes that if a TLS and cryptography provider does not do fuzz testing, they are extremely exposed. wolfSSL runs 7 fuzz testers internally, every night to insure the most secure library on the market. wolfSSL tests using several different software fuzzers, including an in-memory fuzzer, a network fuzzer, OSS-fuzz, libfuzzer, tlsfuzzer, and AFL.
As a testament to wolfSSLs’ commitment to security, highly respected external testers are utilized when possible, for example: Guido Vranken in Holland and Robert Horr of T-Systems in Germany (check out this post by Guido Vranken on Fuzzing for wolfSSL).
As stated in the wolfSSL 2019 Annual Report, wolfSSL is the best – tested cryptography on market, due to consistent implementation of additional fuzz testing resources from both internal and external sources.
For further details regarding the internal wolfSSL process of testing to ensure code quality and security, please reference this blog page.
If there are any specific questions about how wolfSSL tests, please contact our team at facts@wolfssl.com. If there is a desire for wolfSSL to include other SSL/TLS or crypto implementations in wolfSSL interop testing, please let the wolfSSL team know! Likewise, if users would like to include wolfSSL in their own test framework, wolfSSL would be happy to discuss!