We’ve just released our smart card fuzz testing tool, SCFuzz, including full source code, on CodePlex. The purpose of SCFuzz is to find bugs in smart card middleware, the software that allows a commercial operating system such as Windows to communicate with a vendor-specific card. Smart card middleware makes an interesting target because it runs as Local System on Windows, so it’s high-value, and yet is frequently overlooked.
Also, while launching a smart card based attack generally requires physical access to the host, and is therefore less compelling than remote attacks, keep in mind that smart cards are used in many security-sensitive environments. One can imagine the creation of a rogue card that can be inserted into a reader, inflicting its damage, and then removed without a trace, all within a couple of seconds. The next user of that host would have no idea that the compromise had occurred.
More generally, SCFuzz demonstrates that fuzzing works, even against mature protocols and APIs with existing functional test coverage. Check out this article in The Register for proof, as well as the video of my 2008 ShmooCon presentation (skip through the really long intro).