This image has no alt text.
shutterstock/ Joyseulay

New BSI guide: Guidance for the use of fuzzing in Common Criteria certification

News from Nov. 04, 2021

The new guide, “A Fuzz Testing Introduction with CC-specific Guidance” of the German Federal Office for Information Security (BSI), produced by Fraunhofer FOKUS on behalf of the BSI, deals with fuzz testing, also called fuzzing. Fuzzing follows a negative testing approach that aims at detecting implementation errors of software with effects on robustness and security.

As a dynamic test technique, fuzzing executes the respective test object to identify vulnerabilities and security holes. This involves confronting the system's interfaces under test with invalid and unexpected inputs to test their robustness. Thus, implementation errors can be detected that can lead to serious security incidents. Major technology providers use fuzzing in the development process to identify and eliminate potential security vulnerabilities early, thus minimizing the number of security holes in the delivered product.

The aim of the guide, which was published as the first topic-specific companion document to the new AIS 50 (AIS stands for Application Notes and Interpretations) on the topic “Guidance for Tool-supported and automated software testing”, is to demonstrate the possibilities of the methodological approach of fuzzing in Common Criteria evaluations. The term tool-supported software testing refers to all types of automated tool-based software testing methods and techniques. Examples of such procedures and methods include fuzzing and static code analysis and secure coding practices and compliance. For all these methods and techniques, AIS 50 provides a new framework to be complemented by additional guides in the future.

Security testing has become an essential building block in the development process in the increasingly networked world. Fuzzing has proven to be an effective technique to uncover unknown security vulnerabilities (0-day vulnerabilities). During a Common Criteria certification process, fuzzing can be used in different situations. The new guide is intended to facilitate and improve the comparability of corresponding assessments.

The Quality Engineering business unit at Fraunhofer FOKUS offers “Fuzzino”, a basic solution for fuzzing that is currently being used by various tool providers. These include Dornier Consulting with its model-based test tool do.ATOMS and Spirent's TTworkbench, a TTCN-3-based test automation platform. With the help of Fuzzino, existing test tools, especially those developed for functional testing, can be easily and efficiently extended to include fuzzing.

In the “CertLab”, scientists from the Digital Public Services and Quality Engineering business units have been supporting the certification process for IT security products in accordance with the Common Criteria Standard on behalf of the German Federal Office for Information Security (BSI) since 2011.