Zhaowei Zhang,Hongzheng Zhang,Jinjing Zhao,Yanfei Yin

DOI: https://doi.org/10.3390/electronics12132904

IF: 2.9

2023-07-02

Electronics

Abstract:Network protocols, as the communication rules among computer network devices, are the foundation for the normal operation of networks. However, security issues arising from design flaws and implementation vulnerabilities in network protocols pose significant risks to network operations and security. Network protocol fuzzing is an effective technique for discovering and mitigating security flaws in network protocols. It offers unparalleled advantages compared to other security analysis techniques thanks to the minimal requirement for prior knowledge of the target and low deployment complexity. Nevertheless, the randomness in test case generation, uncontrollable test coverage, and unstable testing efficiency introduce challenges in ensuring the controllability of the testing process and results. In order to comprehensively survey the development of network protocol fuzzing techniques and analyze their advantages and existing issues, in this paper, we categorized and summarized the protocol fuzzing and its related techniques based on the generation methods of test cases and testing conditions. Specifically, we overviewed the development trajectory and patterns of these techniques over the past two decades according to chronological order. Based on this analysis, we further predict the future directions of fuzzing techniques.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiaohan Zhang,Cen Zhang,Xinghua Li,Zhengjie Du,Bing Mao,Yuekang Li,Yaowen Zheng,Yeting Li,Li Pan,Yang Liu,Robert Deng

DOI: https://doi.org/10.1145/3696788

IF: 16.6

2024-10-12

ACM Computing Surveys

Abstract:Communication protocols form the bedrock of our interconnected world, yet vulnerabilities within their implementations pose significant security threats. Recent developments have seen a surge in fuzzing-based research dedicated to uncovering these vulnerabilities within protocol implementations. However, there still lacks a systematic overview of protocol fuzzing for answering the essential questions such as what the unique challenges are, how existing works solve them, and so on. To bridge this gap, we conducted a comprehensive investigation of related works from both academia and industry. Our study includes a detailed summary of the specific challenges in protocol fuzzing and provides a systematic categorization and overview of existing research efforts. Furthermore, we explore and discuss potential future research directions in protocol fuzzing.

computer science, theory & methods

Tewodros Legesse Munea,Hyunwoo Lim,Taeshik Shon

DOI: https://doi.org/10.1007/s11042-015-2763-6

IF: 2.577

2015-08-02

Multimedia Tools and Applications

Abstract:Fuzzing or fuzz testing has been introduced as a software testing technique to reduce vulnerabilities in software systems or given targets. To achieve a maximum benefit-to-cost ratio and without complication, we use fuzz testing [11]. In addition, during the development and debugging of a system, we may fail to notice the kinds of shortcoming that fuzz testing can expose. Fuzz testing types are different depending on the target they fuzz. Application, file format, and protocol fuzzing are the most common fuzzing types. A protocol fuzzer sends counterfeit packets to a target system while changing the normal packet en-route and sometimes replaying them. In addition, a protocol fuzzer sometimes acts as proxy server for clients. This survey study examines network protocol fuzz testing. We identified several studies on network protocol fuzzing. Most focus on application layers of the Open Systems Interconnection model. We primarily review the approaches of five studies and the targets and protocol layers they fuzz. We then develop criteria to compare these approaches in detail.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Yan Pan,Wei Lin,Liang Jiao,Yuefei Zhu

DOI: https://doi.org/10.1155/2022/6880677

IF: 1.968

2022-05-06

Security and Communication Networks

Abstract:The widely used network protocols play a crucial role in various systems. However, the protocol vulnerabilities caused by the design of the network protocol or its implementation by programmers lead to multiple security incidents and substantial losses. Hence, it is important to study the protocol fuzzing in order to ensure its correctness. However, the challenges of protocol fuzzing are the mutation of protocol messages and the deep interactivity of the protocol implementation. This paper proposes a model-based grey-box fuzzing approach for protocol implementations, including the server-side and client-side. The proposed method is divided into two phases: automata learning based on the minimally adequate teacher (MAT) framework and grey-box fuzzing guided by the learned model and code coverage. The StateFuzzer tool used for evaluation is presented to demonstrate the validity and feasibility of the proposed approach. The server-side fuzzing can achieve similar or higher code coverage and vulnerability discovery capability than those of AFLNET and StateAFL. Considering the client, the results show that it achieves 1.5X branch coverage (on average) compared with the default AFL, and 1.3X branch coverage compared with AFLNET and StateAFL, using the typical implementations such as OpenSSL, LibreSSL, and Live555. The StateFuzzer identifies a new memory corruption bug in Live555 (2021-08-25) and 14 distinct discrepancies based on differential testing.

computer science, information systems,telecommunications

Valentin J.M. Manès,HyungSeok Han,Choongwoo Han,Sang Kil Cha,Manuel Egele,Edward J. Schwartz,Maverick Woo,Valentin J.M. Manes

DOI: https://doi.org/10.1109/tse.2019.2946563

IF: 7.4

2021-11-01

IEEE Transactions on Software Engineering

Abstract:Among the many software testing techniques available today, fuzzing has remained highly popular due to its conceptual simplicity, its low barrier to deployment, and its vast amount of empirical evidence in discovering real-world software vulnerabilities. At a high level, fuzzing refers to a process of repeatedly running a program with generated inputs that may be syntactically or semantically malformed. While researchers and practitioners alike have invested a large and diverse effort towards improving fuzzing in recent years, this surge of work has also made it difficult to gain a comprehensive and coherent view of fuzzing. To help preserve and bring coherence to the vast literature of fuzzing, this paper presents a unified, general-purpose model of fuzzing together with a taxonomy of the current fuzzing literature. We methodically explore the design decisions at every stage of our model fuzzer by surveying the related literature and innovations in the art, science, and engineering that make modern-day fuzzers effective.

engineering, electrical & electronic,computer science, software engineering

Haifeng Li,B. Shuai,Chaojing Tang,Jian Wang

DOI: https://doi.org/10.2991/NCEECE-15.2016.190

Abstract:In this paper we are discussing about the fuzz testing of network protocol. Compared with the general software vulnerability mining, the difficulty of using fuzz method to detect the protocol vulnerabilities is that the network protocol is a state machine, and the correctness of the input message has a strong constraint. In order to solve the problems of test message being rejected by the network protocol, a novel method is proposed by introducing the genetic algorithm into the test message generation process. Meanwhile, an improved AC algorithm is applied in the process of packet format identification. Experiments show that the proposed fuzz testing method could achieve effective results.

Computer Science

Senyi Li,Junqiang Li,Jingxuan Fu,Mingwu Xue,Hongfang Yu,Gang Sun

DOI: https://doi.org/10.1109/ucet54125.2021.9674965

2021-01-01

Abstract:Fuzzing is one of the most successful techniques for protocol implementation security analysis and vulnerability discovery. Greybox fuzzing for network protocol has become a popular area for its high efficiency. However, present fuzzers are suffering performance drop as they pay no or not enough attention to network protocol specification. To be more detailed, unconstrained mutation and illegal state transition lead to low pass rate for messages. We analyzed present popular fuzzers and found that most fuzzers generate low quality messages that would be rejected by target program even at the beginning. To overcome this problem, we proposed a novel fuzzing approach which contains constrained message mutation and more efficient state chain searching algorithm based on network protocol specification. Our 24 hours experiments demonstrated that our approach outperforms the popular protocol fuzzing tool in both pass rate(at least 9.3%) and edge coverage(at least 12.1%).

Yurong Chen,Yongsheng Mei,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1145/3526088

2024-01-01

Digital Threats Research and Practice

Abstract:In recent years, coverage-based greybox fuzzing has become popular forvulnerability detection due to its simplicity and efficiency. However, it is less powerful when applied directly to protocol fuzzing due to the unique challenges involved in fuzzing communication protocols. In particular, the communication among multiple ends contains more than one packet, which are not necessarily dependent upon each other, i.e., fuzzing single (usually the first) packet can only achieve extremely limited code coverage. In this paper, we study such challenges and demonstrate the limitation of current non-stateful greybox fuzzer. In order to achieve higher code coverage, we design stateful protocol fuzzing strategies for communication protocols to explore the code related to different protocol states. Our approach contains a state switching engine, together with a multi-state forkserver to consistently and flexibly fuzz different states of an compiler-instrumented protocol program. Our experimental results on OpenSSL show that our approach achieves an improvement of 73% more code coverage and 2x unique crashes when comparing against fuzzing the first packet during a protocol handshake.

Kaiyu Shi,Xiangzhan Yu,Yue Zhao

DOI: https://doi.org/10.1145/3444370.3444625

2020-01-01

Abstract:With the rapid advancement of modern technology, software are getting more and more intelligent, whereas the related security issues are also becoming more and more prominent [1]. Developers can easily introduce bugs into a system due to mistakes or poor consideration, which in serious cases may lead to security breaches that can jeopardize the entire system or the entire network. Therefore, efficient and automated security testing techniques or theories are of great importance to software testing and vulnerability detection.

Ke Yan,Bo Yu,Yong Tang,Xiangdong Kong,Chen,Jin Lei

DOI: https://doi.org/10.1109/dsc55868.2022.00060

2022-01-01

Abstract:Fuzzing is one of the most popular software analysis techniques for discovering vulnerabilities. Different from common terminal software, servers should be interacted with well-formed message that conforms to protocol specifications to exercise more functions. However, without protocol specifications, random bit flipping is unlikely to generate valid messages, making fuzzing struggle to traverse the deeper branches of the program. What’s more, manually extracting specifications is typically labor-intensive. In this paper, we present NAFuzzer, a format-aware fuzzing framework for network protocol software. Based on the key insight that similar message fields being parsed at similar locations in the program, NAFuzzer collects constraints of message handling process using replay-based concolic execution, then runs Loop Mapping algorithm to infer the protocol format, and finally uses the format information to generate seeds and perform fuzzing. We implemented and evaluated NAFuzzer on 6 real-world protocol software (LightFTP, Exim, Live555, NetSNMP, Dnsmasq, TinyHTTPd). The results show that NAFuzzer can extract the message formats of six protocol software with a field recognition accuracy of close to 90%. In fuzzing, it achieves higher branch coverage (up to 27.3%) and discovers more paths (up to 38.2%) compared to state-of-the-art fuzzers without any manual involvement.

吴志勇,王红川,孙乐昌,潘祖烈,刘京菊

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.03.006

2010-01-01

Abstract:By analyzing and comparing several definitions of Fuzzing,this paper gave a new definition accroding to the know-ledge and methods using currently,summerized its new ideas,new methods and corresponding defeats from these aspects like differences from black-box testing,framework and test data generation mechanism.Based on these defeats and the requiments from practical application,proposed concrete research directions and methods.

Bo Yu,Lei Zhou,Chengnuo Cai,Qiang Yang,Yaojia Yang,Runhao Liu,Lei Luo,Wenyu Long,Lianghua Gong

DOI: https://doi.org/10.1109/icws62655.2024.00139

2024-01-01

Abstract:Fuzzing network protocols is challenging due to their various factors including syntax, state transition, and even conformation of its executable software. To achieve better convenience of platform development and effectiveness of individual protocol testing, current grey-box fuzzing approaches generally focus on limited factors. However, it leaves poor performance on real-world services’s protocol evaluation since it requires significant additional adaptation efforts to accommodate the diversity of protocol software. To address this issue, we present FuzzFabric, a scalable grey-box fuzzing framework designed for polymorphic protocol services. FuzzFabric decouples existing fuzzing engines and modular programs the protocol processing adapters, and finally adaptive assembles fuzzing engine to evaluate different network protocol services. We implemented FuzzFabric on top of AFLNet, supporting 3 different protocol types and 4 instrumentation tools, and conducted experiments using 11 real-world protocol applications. The results demonstrate that FuzzFabric can effectively fuzz protocols in different forms with various instrumentation, validating its practical efficacy and scalability.

He LI,Chao ZHANG,Xin YANG,Jun-hu ZHU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2019.09.034

2019-01-01

Abstract:As an efficient vulnerability discovering method,fuzzing testing has been widely used in operating system kernel security. Kernel fuzzing significantly improves the security of operating system kernel and driver programs. At present,the use of fuzzing tech-niques for operating systems on different platforms for vulnerability discovering has become a research hotspot. This paper studies the existing kernel fuzzing methods,summarizes the development of kernel fuzzing and technical ideas,and attempts to classify kernel fuzzing. Summarizes the new technologies used in kernel fuzzing in recent years. Finally,the problems in the current research are dis-cussed,and the future development trend of kernel fuzzing testing is prospected.

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0186188

IF: 3.7

2017-10-19

PLoS ONE

Abstract:Network protocol vulnerability detection plays an important role in many domains, including protocol security analysis, application security, and network intrusion detection. In this study, by analyzing the general fuzzing method of network protocols, we propose a novel approach that combines network traffic analysis with the binary reverse engineering method. For network traffic analysis, the block-based protocol description language is introduced to construct test scripts, while the binary reverse engineering method employs the genetic algorithm with a fitness function designed to focus on code coverage. This combination leads to a substantial improvement in fuzz testing for network protocols. We build a prototype system and use it to test several real-world network protocol implementations. The experimental results show that the proposed approach detects vulnerabilities more efficiently and effectively than general fuzzing methods such as SPIKE.

Xiaogang Zhu,Sheng Wen,Seyit Camtepe,Yang Xiang

DOI: https://doi.org/10.1145/3512345

IF: 16.6

2022-01-28

ACM Computing Surveys

Abstract:Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It generates a large number of test cases and monitors the executions for defects. Fuzzing has detected thousands of bugs and vulnerabilities in various applications. Although effective, there lacks systematic analysis of gaps faced by fuzzing. As a technique of defect detection, fuzzing is required to narrow down the gaps between the entire input space and the defect space. Without limitation on the generated inputs, the input space is infinite. However, defects are sparse in an application, which indicates that the defect space is much smaller than the entire input space. Besides, because fuzzing generates numerous test cases to repeatedly examine targets, it requires fuzzing to perform in an automatic manner. Due to the complexity of applications and defects, it is challenging to automatize the execution of diverse applications. In this paper, we systematically review and analyze the gaps as well as their solutions, considering both breadth and depth. This survey can be a roadmap for both beginners and advanced developers to better understand fuzzing.

computer science, theory & methods

Mingjie Cheng,Kailong Zhu,Yuanchao Chen,Guozheng Yang,Yuliang Lu,Canju Lu

DOI: https://doi.org/10.3390/electronics13132632

IF: 2.9

2024-01-01

Electronics

Abstract:Network protocol implementations, as integral components of information communication, are critically important for security. Due to its efficiency and automation, fuzzing has become a popular method for protocol security detection. However, the existing protocol-fuzzing techniques face the critical problem of generating high-quality inputs. To address the problem, in this paper, we propose MSFuzz, which is a protocol-fuzzing method with message syntax comprehension. The core observation of MSFuzz is that the source code of protocol implementations contains detailed and comprehensive knowledge of the message syntax. Specifically, we leveraged the code-understanding capabilities of large language models to extract the message syntax from the source code and construct message syntax trees. Then, using these syntax trees, we expanded the initial seed corpus and designed a novel syntax-aware mutation strategy to guide the fuzzing. To evaluate the performance of MSFuzz, we compared it with the state-of-the-art (SOTA) protocol fuzzers, namely, AFLNET and CHATAFL. Experimental results showed that compared with AFLNET and CHATAFL, MSFuzz achieved average improvements of 22.53% and 10.04% in the number of states, 60.62% and 19.52% improvements in the number of state transitions, and 29.30% and 23.13% improvements in branch coverage. Additionally, MSFuzz discovered more vulnerabilities than the SOTA fuzzers.

Dongge Liu,Van-Thuan Pham,Gidon Ernst,Toby Murray,Benjamin I.P. Rubinstein

DOI: https://doi.org/10.48550/arXiv.2112.15498

2022-01-07

Abstract:The statefulness property of network protocol implementations poses a unique challenge for testing and verification techniques, including Fuzzing. Stateful fuzzers tackle this challenge by leveraging state models to partition the state space and assist the test generation process. Since not all states are equally important and fuzzing campaigns have time limits, fuzzers need effective state selection algorithms to prioritize progressive states over others. Several state selection algorithms have been proposed but they were implemented and evaluated separately on different platforms, making it hard to achieve conclusive findings. In this work, we evaluate an extensive set of state selection algorithms on the same fuzzing platform that is AFLNet, a state-of-the-art fuzzer for network servers. The algorithm set includes existing ones supported by AFLNet and our novel and principled algorithm called AFLNetLegion. The experimental results on the ProFuzzBench benchmark show that (i) the existing state selection algorithms of AFLNet achieve very similar code coverage, (ii) AFLNetLegion clearly outperforms these algorithms in selected case studies, but (iii) the overall improvement appears insignificant. These are unexpected yet interesting findings. We identify problems and share insights that could open opportunities for future research on this topic.

Software Engineering,Cryptography and Security,Machine Learning

Xiyue Gao,Zhuang Liu,Jiangtao Cui,Hui Li,Hui Zhang,Kewei Wei,Kankan Zhao

DOI: https://doi.org/10.48550/arXiv.2311.06728

2023-11-12

Abstract:Database Management System (DBMS) fuzzing is an automated testing technique aimed at detecting errors and vulnerabilities in DBMSs by generating, mutating, and executing test cases. It not only reduces the time and cost of manual testing but also enhances detection coverage, providing valuable assistance in developing commercial DBMSs. Existing fuzzing surveys mainly focus on general-purpose software. However, DBMSs are different from them in terms of internal structure, input/output, and test objectives, requiring specialized fuzzing strategies. Therefore, this paper focuses on DBMS fuzzing and provides a comprehensive review and comparison of the methods in this field. We first introduce the fundamental concepts. Then, we systematically define a general fuzzing procedure and decompose and categorize existing methods. Furthermore, we classify existing methods from the testing objective perspective, covering various components in DBMSs. For representative works, more detailed descriptions are provided to analyze their strengths and limitations. To objectively evaluate the performance of each method, we present an open-source DBMS fuzzing toolkit, OpenDBFuzz. Based on this toolkit, we conduct a detailed experimental comparative analysis of existing methods and finally discuss future research directions.

Databases

Congxi Song,Bo Yu,Xu Zhou,Qiang Yang

DOI: https://doi.org/10.1109/access.2019.2895025

IF: 3.9

2019-01-01

IEEE Access

Abstract:In recent years, the fuzzing technology is widely used to detect the software vulnerabilities owing to the coverage improvement in the target program and the easiness of use. However, it is less efficient to fuzz the stateful protocols due to the difficulties like maintaining states and dependencies of messages. To address these challenges, we present SPFuzz, a framework for building flexible, coverage-guided stateful protocol fuzzing. We define a language in SPFuzz to describe the protocol specifications, protocol states transitions and dependencies for generating valuable test cases, maintaining correct messages in session states and handling protocol dependencies by updating message data in time. The SPFuzz adopts a three-level mutation strategy, namely head, content, and sequence mutation strategy to drive the fuzzing process to cover more paths, in conjunction with the method to randomly assign weights to messages and strategies. We use the following metrics to evaluate the performance of SPFuzz and other frameworks upon three protocol implementations, i.e., Proftpd, Oftpd, and OpenSSL, which are three-granularity coverages specifically function, basic block, and edge. In experiments, the SPFuzz framework outperforms the existing stateful protocol fuzzing tool Boofuzz by an average of 69.12% in three granularities coverage tests. This demonstrates that the SPFuzz has the ability to explore more and deeper paths of the target program. We further triggered CVE-2015-0291 in OpenSSL 1.0.2 with the SPFuzz, which proves the validity and utility of our framework.