Assurance-Oriented Fuzzing: Growing the Requirements and the Practice (A03c)
Usually we say that the meaning of an assurance level is the set of evaluation activities that have been carried out. But it can be hard to relate those technical activities to everyday meanings that can be easily understood. The ‘operational definition’ (giving meaning in terms of activities) carries the message that assurance is not simple, but rather a complex set of attributes, at least some of which rely on subjective judgements during an evaluation. To improve the effectiveness of Common Criteria we aspire to more objectivity and clarity in assurance, to know what we have and have not covered, and to find practical ways to achieve continuous improvement. Structured fuzzing offers us the potential to provide more objectivity and direct comparability between evaluations, and perhaps even an objective measure of at least one assurance attribute of a product. But this relies on giving more detailed requirements and methodology than the phrases we typically encounter, such as “input validation”, “communications robustness”, or even “fuzz testing”. This presentation will examine how we can use structured fuzzing to make a more objective, assurance-oriented measurement that both developers and evaluators can participate in.