Shihao Jiang,Yu Zhang,Junqiang Li,Hongfang Yu,Long Luo,Gang Sun

2024-02-27

Abstract:As one of the most successful and effective software testing techniques in recent years, fuzz testing has uncovered numerous bugs and vulnerabilities in modern software, including network protocol software. In contrast to other fuzzing targets, network protocol software exhibits its distinct characteristics and challenges, introducing a plethora of research questions that need to be addressed in the design and implementation of network protocol fuzzers. While some research work has evaluated and systematized the knowledge of general fuzzing techniques at a high level, there is a lack of similar analysis and summarization for fuzzing research specific to network protocols. This paper offers a comprehensive exposition of network protocol software's fuzzing-related features and conducts a systematic review of some representative advancements in network protocol fuzzing since its inception. We summarize state-of-the-art strategies and solutions in various aspects, propose a unified protocol fuzzing process model, and introduce the techniques involved in each stage of the model. At the same time, this paper also summarizes the promising research directions in the landscape of protocol fuzzing to foster exploration within the community for more efficient and intelligent modern network protocol fuzzing techniques.

Networking and Internet Architecture

Senyi Li,Junqiang Li,Jingxuan Fu,Mingwu Xue,Hongfang Yu,Gang Sun

DOI: https://doi.org/10.1109/ucet54125.2021.9674965

2021-01-01

Abstract:Fuzzing is one of the most successful techniques for protocol implementation security analysis and vulnerability discovery. Greybox fuzzing for network protocol has become a popular area for its high efficiency. However, present fuzzers are suffering performance drop as they pay no or not enough attention to network protocol specification. To be more detailed, unconstrained mutation and illegal state transition lead to low pass rate for messages. We analyzed present popular fuzzers and found that most fuzzers generate low quality messages that would be rejected by target program even at the beginning. To overcome this problem, we proposed a novel fuzzing approach which contains constrained message mutation and more efficient state chain searching algorithm based on network protocol specification. Our 24 hours experiments demonstrated that our approach outperforms the popular protocol fuzzing tool in both pass rate(at least 9.3%) and edge coverage(at least 12.1%).

Zicong Gao,Hao Xiong,Weiyu Dong,Rui Chang,Rui Yang,Yajin Zhou,Liehui Jiang

DOI: https://doi.org/10.1109/tse.2023.3326144

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Mutation-based fuzzing has been widely used in both academia and industry. Recently, researchers observe that the mutation scheduling scheme affects the efficiency of fuzzing. Accordingly, they propose PSO algorithm or machine learning-based technique to optimize the scheduling process. However, these methods fail to consider the fact that the optimal operator distribution of different seeds is different, even for the same program. In this paper, we propose a novel general scheduling scheme, named FA-fuzz, to find the optimal selecting probability distribution of mutation operators, which is based on the observations that the effective mutation operators are different for different seeds. Specifically, our method is based on the firefly algorithm. The positions of fireflies are mapped to the selection probability distribution of different mutation operators. The brightness of fireflies is expressed as the efficiency of discovering unique testcases. We implement prototype systems on multiple state-of-art fuzzers, and perform evaluations on two datasets. Our proposed method improves both the number of unique paths and unique bugs on real-world datasets. In addition, we discover 30 zero-day vulnerabilities in eight real-world programs, which demonstrate the effectiveness of FA-fuzz.

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0186188

IF: 3.7

2017-10-19

PLoS ONE

Abstract:Network protocol vulnerability detection plays an important role in many domains, including protocol security analysis, application security, and network intrusion detection. In this study, by analyzing the general fuzzing method of network protocols, we propose a novel approach that combines network traffic analysis with the binary reverse engineering method. For network traffic analysis, the block-based protocol description language is introduced to construct test scripts, while the binary reverse engineering method employs the genetic algorithm with a fitness function designed to focus on code coverage. This combination leads to a substantial improvement in fuzz testing for network protocols. We build a prototype system and use it to test several real-world network protocol implementations. The experimental results show that the proposed approach detects vulnerabilities more efficiently and effectively than general fuzzing methods such as SPIKE.

Zhaowei Zhang,Hongzheng Zhang,Jinjing Zhao,Yanfei Yin

DOI: https://doi.org/10.3390/electronics12132904

IF: 2.9

2023-07-02

Electronics

Abstract:Network protocols, as the communication rules among computer network devices, are the foundation for the normal operation of networks. However, security issues arising from design flaws and implementation vulnerabilities in network protocols pose significant risks to network operations and security. Network protocol fuzzing is an effective technique for discovering and mitigating security flaws in network protocols. It offers unparalleled advantages compared to other security analysis techniques thanks to the minimal requirement for prior knowledge of the target and low deployment complexity. Nevertheless, the randomness in test case generation, uncontrollable test coverage, and unstable testing efficiency introduce challenges in ensuring the controllability of the testing process and results. In order to comprehensively survey the development of network protocol fuzzing techniques and analyze their advantages and existing issues, in this paper, we categorized and summarized the protocol fuzzing and its related techniques based on the generation methods of test cases and testing conditions. Specifically, we overviewed the development trajectory and patterns of these techniques over the past two decades according to chronological order. Based on this analysis, we further predict the future directions of fuzzing techniques.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yan Pan,Wei Lin,Liang Jiao,Yuefei Zhu

DOI: https://doi.org/10.1155/2022/6880677

IF: 1.968

2022-05-06

Security and Communication Networks

Abstract:The widely used network protocols play a crucial role in various systems. However, the protocol vulnerabilities caused by the design of the network protocol or its implementation by programmers lead to multiple security incidents and substantial losses. Hence, it is important to study the protocol fuzzing in order to ensure its correctness. However, the challenges of protocol fuzzing are the mutation of protocol messages and the deep interactivity of the protocol implementation. This paper proposes a model-based grey-box fuzzing approach for protocol implementations, including the server-side and client-side. The proposed method is divided into two phases: automata learning based on the minimally adequate teacher (MAT) framework and grey-box fuzzing guided by the learned model and code coverage. The StateFuzzer tool used for evaluation is presented to demonstrate the validity and feasibility of the proposed approach. The server-side fuzzing can achieve similar or higher code coverage and vulnerability discovery capability than those of AFLNET and StateAFL. Considering the client, the results show that it achieves 1.5X branch coverage (on average) compared with the default AFL, and 1.3X branch coverage compared with AFLNET and StateAFL, using the typical implementations such as OpenSSL, LibreSSL, and Live555. The StateFuzzer identifies a new memory corruption bug in Live555 (2021-08-25) and 14 distinct discrepancies based on differential testing.

computer science, information systems,telecommunications

Ke Yan,Bo Yu,Yong Tang,Xiangdong Kong,Chen,Jin Lei

DOI: https://doi.org/10.1109/dsc55868.2022.00060

2022-01-01

Abstract:Fuzzing is one of the most popular software analysis techniques for discovering vulnerabilities. Different from common terminal software, servers should be interacted with well-formed message that conforms to protocol specifications to exercise more functions. However, without protocol specifications, random bit flipping is unlikely to generate valid messages, making fuzzing struggle to traverse the deeper branches of the program. What’s more, manually extracting specifications is typically labor-intensive. In this paper, we present NAFuzzer, a format-aware fuzzing framework for network protocol software. Based on the key insight that similar message fields being parsed at similar locations in the program, NAFuzzer collects constraints of message handling process using replay-based concolic execution, then runs Loop Mapping algorithm to infer the protocol format, and finally uses the format information to generate seeds and perform fuzzing. We implemented and evaluated NAFuzzer on 6 real-world protocol software (LightFTP, Exim, Live555, NetSNMP, Dnsmasq, TinyHTTPd). The results show that NAFuzzer can extract the message formats of six protocol software with a field recognition accuracy of close to 90%. In fuzzing, it achieves higher branch coverage (up to 27.3%) and discovers more paths (up to 38.2%) compared to state-of-the-art fuzzers without any manual involvement.

Tewodros Legesse Munea,Hyunwoo Lim,Taeshik Shon

DOI: https://doi.org/10.1007/s11042-015-2763-6

IF: 2.577

2015-08-02

Multimedia Tools and Applications

Abstract:Fuzzing or fuzz testing has been introduced as a software testing technique to reduce vulnerabilities in software systems or given targets. To achieve a maximum benefit-to-cost ratio and without complication, we use fuzz testing [11]. In addition, during the development and debugging of a system, we may fail to notice the kinds of shortcoming that fuzz testing can expose. Fuzz testing types are different depending on the target they fuzz. Application, file format, and protocol fuzzing are the most common fuzzing types. A protocol fuzzer sends counterfeit packets to a target system while changing the normal packet en-route and sometimes replaying them. In addition, a protocol fuzzer sometimes acts as proxy server for clients. This survey study examines network protocol fuzz testing. We identified several studies on network protocol fuzzing. Most focus on application layers of the Open Systems Interconnection model. We primarily review the approaches of five studies and the targets and protocol layers they fuzz. We then develop criteria to compare these approaches in detail.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Xiaohan Zhang,Cen Zhang,Xinghua Li,Zhengjie Du,Bing Mao,Yuekang Li,Yaowen Zheng,Yeting Li,Li Pan,Yang Liu,Robert Deng

DOI: https://doi.org/10.1145/3696788

IF: 16.6

2024-10-12

ACM Computing Surveys

Abstract:Communication protocols form the bedrock of our interconnected world, yet vulnerabilities within their implementations pose significant security threats. Recent developments have seen a surge in fuzzing-based research dedicated to uncovering these vulnerabilities within protocol implementations. However, there still lacks a systematic overview of protocol fuzzing for answering the essential questions such as what the unique challenges are, how existing works solve them, and so on. To bridge this gap, we conducted a comprehensive investigation of related works from both academia and industry. Our study includes a detailed summary of the specific challenges in protocol fuzzing and provides a systematic categorization and overview of existing research efforts. Furthermore, we explore and discuss potential future research directions in protocol fuzzing.

computer science, theory & methods

Rui Ma,Shuaimin Ren,Ke Ma,Changzhen Hu,Jingfeng Xue

DOI: https://doi.org/10.23919/tst.2017.8030535

2017-01-01

Abstract:Network protocols are divided into stateless and stateful.Stateful network protocols have complex communication interactions and state transitions.However,the existing network protocol fuzzing does not support state transitions very well.This paper focuses on this issue and proposes the Semi-valid Fuzzing for the Stateful Network Protocol（SFSNP）.The SFSNP analyzes protocol interactions and builds an extended finite state machine with a path marker for the network protocol; then it obtains test sequences of the extended finite state machine,and further performs the mutation operation using the semi-valid algorithm for each state transition in the test sequences; finally,it obtains fuzzing sequences.Moreover,because different test sequences may have the same state transitions,the SFSNP uses the state transition marking algorithm to reduce redundant test cases.By using the stateful rule tree of the protocol,the SFSNP extracts the constraints in the protocol specifications to construct semi-valid fuzz testing cases within the sub-protocol domain,and finally forms fuzzing sequences.Experimental results indicate that the SFSNP is reasonably effective at reducing the quantity of generated test cases and improving the quality of fuzz testing cases.The SFSNP can reduce redundancy and shorten testing time.

Rui Ma,Wendong Ji,Changzhen Hu,Chun Shan

DOI: https://doi.org/10.1049/cp.2014.0748

2014-01-01

Abstract:Aiming at the test data generation, which is one of the key issues in the network protocol fuzzing, this paper presents a new method on the basis of classification tree and heuristic operator. The method firstly builds up a protocol classification tree divided into 4 layers: target network protocol, protocol fields, attributes belonging to all fields, and attribute values. In order to reduce the scale of fuzz testing data, heuristic operators are defined to remove useless items from value sets of attributes. And then the test data for each protocol field was obtained by doing Cartesian product between value sets of attributes. The fuzz testing data for target network protocol is finally generated by replacing the corresponding field in the protocol with its fuzzing data one by one. Experimental results indicate that our method could successfully detect vulnerabilities, while dramatically reduce the number of test data and highly improve the quality of test data.

Zhicheng Hu,Jianqi Shi,Yanhong Huang,Jiawen Xiong,Xiangxing Bu

DOI: https://doi.org/10.1145/3203217.3203241

2018-01-01

Abstract:In this paper, we attempt to improve industrial safety from the perspective of communication security. We leverage the protocol fuzzing technology to reveal errors and vulnerabilities inside implementations of industrial network protocols(INPs). Traditionally, to effectively conduct protocol fuzzing, the test data has to be generated under the guidance of protocol grammar, which is built either by interpreting the protocol specifications or reverse engineering from network traces. In this study, we propose an automated test case generation method, in which the protocol grammar is learned by deep learning. Generative adversarial network(GAN) is employed to train a generative model over real-world protocol messages to enable us to learn the protocol grammar. Then we can use the trained generative model to produce fake but plausible messages, which are promising test cases. Based on this approach, we present an automatical and intelligent fuzzing framework(GANFuzz) for testing implementations of INPs. Compared to prior work, GANFuzz offers a new way for this problem. Moreover, GANFuzz does not rely on protocol specification, so that it can be applied to both public and proprietary protocols, which outperforms many previous frameworks. We use GANFuzz to test several simulators of the Modbus-TCP protocol and find some errors and vulnerabilities.

Yurong Chen,Yongsheng Mei,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1145/3526088

2024-01-01

Digital Threats Research and Practice

Abstract:In recent years, coverage-based greybox fuzzing has become popular forvulnerability detection due to its simplicity and efficiency. However, it is less powerful when applied directly to protocol fuzzing due to the unique challenges involved in fuzzing communication protocols. In particular, the communication among multiple ends contains more than one packet, which are not necessarily dependent upon each other, i.e., fuzzing single (usually the first) packet can only achieve extremely limited code coverage. In this paper, we study such challenges and demonstrate the limitation of current non-stateful greybox fuzzer. In order to achieve higher code coverage, we design stateful protocol fuzzing strategies for communication protocols to explore the code related to different protocol states. Our approach contains a state switching engine, together with a multi-state forkserver to consistently and flexibly fuzz different states of an compiler-instrumented protocol program. Our experimental results on OpenSSL show that our approach achieves an improvement of 73% more code coverage and 2x unique crashes when comparing against fuzzing the first packet during a protocol handshake.

Wen‐dong Ji,Jingfeng Xue,Daguang Wang,Rui Ma,Changzhen Hu

DOI: https://doi.org/10.1109/TST.2016.7488746

2016-06-01

Abstract:To improve the efficiency and coverage of stateful network protocol fuzzing, this paper proposes a new method, using a rule-based state machine and a stateful rule tree to guide the generation of fuzz testing data. The method first builds a rule-based state machine model as a formal description of the states of a network protocol. This removes safety paths, to cut down the scale of the state space. Then it uses a stateful rule tree to describe the relationship between states and messages, and then remove useless items from it. According to the message sequence obtained by the analysis of paths using the stateful rule tree and the protocol specification, an abstract data model of test case generation is defined. The fuzz testing data is produced by various generation algorithms through filling data in the fields of the data model. Using the rule-based state machine and the stateful rule tree, the quantity of test data can be reduced. Experimental results indicate that our method can discover the same vulnerabilities as traditional approaches, using less test data, while optimizing test data generation and improving test efficiency.

Computer Science

Zhengxiong Luo,Zhe Liu,Yu Jiang,Junze Yu,Feilong Zuo

DOI: https://doi.org/10.1109/DAC18074.2021.9586321

2021-12-05

Abstract:The rapid development of in-vehicle networks and protocols brings efficient communication service but also increases the risk of attack. Any vulnerability may be leveraged to cause serious consequences. It is of vital importance to guarantee their security. However, the vulnerability detection efficiency of traditional techniques such as fuzzing is challenged by the complex relations among protocol states.In this paper, we propose PAVFuzz, a state-sensitive fuzz testing framework to secure those protocols used in autonomous vehicles. It automatically learns relations between two data elements in different protocol states. The relations will then be used to calculate and update the mutation weight of each data element continuously. Accordingly, PAVFuzz is able to select the target data elements and perform state-sensitive mutation to boost the efficiency. Experiments show that, compared with state-of-the-art fuzzers Peach and AFL, PAVFuzz increases branch coverage by averagely 22.51% and 369.19% within 24 hours. It has successfully exposed 12 serious previously unknown vulnerabilities among several protocols that are widely used in autonomous vehicles, such as RTPS and SOME/IP. We have reported them to the developers and corresponding patches have been released.

Engineering,Computer Science

Ya Ma

DOI: https://doi.org/10.52783/jes.3438

2024-04-25

Abstract:The protection of industrialized management systems and related network protocols is guaranteed by vulnerability mining innovation. The inadequate receiving efficiency and insufficient vulnerability mining capacity of vulnerability mining strategies are their drawbacks. So, this study analyzes the network protocol vulnerability mining using fuzz testing combined with deep learning (DL). In this study, Modbus TCP is employed as a network protocol regarding vulnerability mining. This paper presents a unique threshold-sample-driven deep neural network (T-s DNN) framework. Based on the TSDNN, we construct a fuzzing framework (T-s DNN Fuzzer) for Modbus TCP protocols. The DNN algorithm is first trained to understand the meaning of the protocol's data unit using this framework. The likelihood distribution of every value in the information is quantified using the softmax mechanism. The technique then examines the highest likelihood and the random variable's threshold in deciding whether to use the information value with the optimal likelihood in place of the existing information value. The MBAP header has been finished by the protocol standard. Fuzz tests demonstrate that in addition to increasing sample receipt levels and exploitability, fuzzing devices can identify protocol vulnerabilities rapidly. Experiments conducted with the T-s DNN fuzzer demonstrate that it can detect industrial control protocol vulnerabilities greater in addition to increasing test case reception scores and exploitability.

Computer Science,Engineering

Dongge Liu,Van-Thuan Pham,Gidon Ernst,Toby Murray,Benjamin I.P. Rubinstein

DOI: https://doi.org/10.48550/arXiv.2112.15498

2022-01-07

Abstract:The statefulness property of network protocol implementations poses a unique challenge for testing and verification techniques, including Fuzzing. Stateful fuzzers tackle this challenge by leveraging state models to partition the state space and assist the test generation process. Since not all states are equally important and fuzzing campaigns have time limits, fuzzers need effective state selection algorithms to prioritize progressive states over others. Several state selection algorithms have been proposed but they were implemented and evaluated separately on different platforms, making it hard to achieve conclusive findings. In this work, we evaluate an extensive set of state selection algorithms on the same fuzzing platform that is AFLNet, a state-of-the-art fuzzer for network servers. The algorithm set includes existing ones supported by AFLNet and our novel and principled algorithm called AFLNetLegion. The experimental results on the ProFuzzBench benchmark show that (i) the existing state selection algorithms of AFLNet achieve very similar code coverage, (ii) AFLNetLegion clearly outperforms these algorithms in selected case studies, but (iii) the overall improvement appears insignificant. These are unexpected yet interesting findings. We identify problems and share insights that could open opportunities for future research on this topic.

Software Engineering,Cryptography and Security,Machine Learning

Congxi Song,Bo Yu,Xu Zhou,Qiang Yang

DOI: https://doi.org/10.1109/access.2019.2895025

IF: 3.9

2019-01-01

IEEE Access

Abstract:In recent years, the fuzzing technology is widely used to detect the software vulnerabilities owing to the coverage improvement in the target program and the easiness of use. However, it is less efficient to fuzz the stateful protocols due to the difficulties like maintaining states and dependencies of messages. To address these challenges, we present SPFuzz, a framework for building flexible, coverage-guided stateful protocol fuzzing. We define a language in SPFuzz to describe the protocol specifications, protocol states transitions and dependencies for generating valuable test cases, maintaining correct messages in session states and handling protocol dependencies by updating message data in time. The SPFuzz adopts a three-level mutation strategy, namely head, content, and sequence mutation strategy to drive the fuzzing process to cover more paths, in conjunction with the method to randomly assign weights to messages and strategies. We use the following metrics to evaluate the performance of SPFuzz and other frameworks upon three protocol implementations, i.e., Proftpd, Oftpd, and OpenSSL, which are three-granularity coverages specifically function, basic block, and edge. In experiments, the SPFuzz framework outperforms the existing stateful protocol fuzzing tool Boofuzz by an average of 69.12% in three granularities coverage tests. This demonstrates that the SPFuzz has the ability to explore more and deeper paths of the target program. We further triggered CVE-2015-0291 in OpenSSL 1.0.2 with the SPFuzz, which proves the validity and utility of our framework.

Bo Yu,Lei Zhou,Chengnuo Cai,Qiang Yang,Yaojia Yang,Runhao Liu,Lei Luo,Wenyu Long,Lianghua Gong

DOI: https://doi.org/10.1109/icws62655.2024.00139

2024-01-01

Abstract:Fuzzing network protocols is challenging due to their various factors including syntax, state transition, and even conformation of its executable software. To achieve better convenience of platform development and effectiveness of individual protocol testing, current grey-box fuzzing approaches generally focus on limited factors. However, it leaves poor performance on real-world services’s protocol evaluation since it requires significant additional adaptation efforts to accommodate the diversity of protocol software. To address this issue, we present FuzzFabric, a scalable grey-box fuzzing framework designed for polymorphic protocol services. FuzzFabric decouples existing fuzzing engines and modular programs the protocol processing adapters, and finally adaptive assembles fuzzing engine to evaluate different network protocol services. We implemented FuzzFabric on top of AFLNet, supporting 3 different protocol types and 4 instrumentation tools, and conducted experiments using 11 real-world protocol applications. The results demonstrate that FuzzFabric can effectively fuzz protocols in different forms with various instrumentation, validating its practical efficacy and scalability.