Thomas Rooijakkers

Thomas Rooijakkers, Anne Nijsten, Cristian Daniele et al.

Many business processes currently depend on web services, often using REST APIs for communication. REST APIs expose web service functionality through endpoints, allowing easy client interaction over the Internet. To reduce the security risk resulting from exposed endpoints, thorough testing is desired. Due to the generally vast number of endpoints, automated testing techniques, like fuzzing, are of interest. This paper introduces WuppieFuzz, an open-source REST API fuzzer built on LibAFL, supporting white-box, grey-box and black-box fuzzing. Using an OpenAPI specification, it can generate an initial input corpus consisting of sequences of requests. These are mutated with REST-specific and LibAFL-provided mutators to explore different code paths in the software under test. Guided by the measured coverage, WuppieFuzz then selects which request sequences to send next to reach complex states in the software under test. In this process, it automates harness creation to reduce manual efforts often required in fuzzing. Different kinds of reporting are provided by the fuzzer to help fixing bugs. We evaluated our tool on the Petstore API to assess the robustness of the white-box approach and the effectiveness of different power schedules. We further monitored endpoint and code coverage over time to measure the efficacy of the approach.

Zsolt Tujner, Thomas Rooijakkers, Maran van Heesch et al.

In this work, we propose a study on the use of post-quantum cryptographic primitives for the Tor network in order to make it safe in a quantum world. With this aim, the underlying keying material has first been analysed. We observe that breaking the security of the algorithms/protocols that use long- and medium-term keys (usually RSA keys) have the highest impact in security. Therefore, we investigate the cost of quantum-safe variants. These include key generation, key encapsulation and decapsulation. Six different post-quantum cryptographic algorithms that ensure level 1 NIST security are evaluated. We further target the Tor circuit creation operation and evaluate the overhead of the post-quantum variant. This comparative study is performed through a reference implementation based on SweetOnions that simulates Tor with slight simplifications. We show that a quantum-safe Tor circuit creation is possible and suggest two versions - one that can be used in a purely quantum-safe setting, and one that can be used in a hybrid setting.