Skip to content

PKCS#11 Fuzzer getting started

On this page we will show you how to use the SandboxAQ Security Suite PKCS#11 Fuzzer to obtain a trace from your PKCS#11 device.


Before you use the PKCS#11 Fuzzer, make sure you have followed the installation instructions.

Make sure the device you want to test is connected. For hardware PKCS#11 devices you need to know the location of the PKCS#11 DLL, as well as the user PIN.

Make sure that you have backups for all key materials before running the SandboxAQ Security Suite Fuzzer on a device. The SandboxAQ Security Suite Fuzzer should not delete preexisting keys, but it tends to reveal firmware and driver bugs and those bugs may in turn require you to reset the device.

Fuzzing an PKCS#11 device

Choose a directory where you have write access to store the result of the fuzzing process. Put the cs-fuzzer executable inside it and run the following command:

Text Only
./cs-fuzzer \
    --dll /path/to/library
    --pin 1234
    --output trace.cst.gz

When the PKCS#11 Fuzzer has finished executing, you’ll find a trace.cst.gz trace file in your directory.

Note: The directory where the PKCS#11 Fuzzer writes the trace can be changed with the --output option.

Refer to the API Client manual for instructions for uploading a trace.

See Configuration in the PKCS#11 Tracer reference manual for a list of all available parameters and how to use them.