Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Qianmu Li,Yaozong Liu,Shunmei Meng,Hanrui Zhang,Haiyuan Shen,Huaqiu Long

DOI: https://doi.org/10.1186/s13638-020-01734-0

2020-06-03

EURASIP Journal on Wireless Communications and Networking

Abstract:Abstract The safety of the Industrial Internet Control Systems has been a hotspot in the information security. To meet the needs of communication, a large variety of proprietary protocols have emerged in the field of industrial control. The protocol field is often trusted in the implementation of industrial control terminal code. If attackers modify the data of these fields using the protocol defect, the operation of the program can be controlled and the entire system will be affected. To cope with such security threats, academia and industry generally adopt fuzz test methods. However, the current industrial control protocol fuzz test methods generally have low code coverage, where unified description models are missing and test cases are not targeted. A method of fuzzification processing combined with dynamic multi-modal sensor communication data is proposed. To track the program execution, the dynamic pollution analysis is used to search for the input fields that affect the execution of the conditional branch and capture the dependencies between the conditional branches to guide the grammar generation of test cases, which can increase the chances of executing deep code. The experimental results show that the proposed method improves the validity and code coverage of test cases to a certain extent and greatly increases the probability of anomaly detection in the protocol implementation.

telecommunications,engineering, electrical & electronic

Bin ZHANG,Meng-jun LI,bo WU,Chao-jing TANG

DOI: https://doi.org/10.3969/j.issn.1004-373X.2014.19.028

2014-01-01

Abstract:Since traditional fuzzy testing may test the same state space repeatedly due to the different input,and lead to a low efficiency,a binary oriented fuzzy testing technique based on dynamic taint analysis combined with input field classification technology is presented in this paper,which can perform the oriented fuzzy testing for typical security-sensitive operation and general module function,and serve as a good solution to the problem of low efficiency of the traditional fuzzy testing. The proto-type system TaintedFuzz was also realized for binary oriented fuzzy testing. The experiment proves that the method is capable of exploring the typical security vulnerabilities in the binary program efficiently.

Bo Shuai,Mengjun Li,Haifeng Li,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/CECNet.2013.6703400

2013-01-01

Abstract:In order to solve the problems of traditional Fuzzing technique for software vulnerability detection, this paper proposes a novel method based on genetic algorithm and dynamic taint analysis. First, static analysis is applied to calculate the critical path information, including danger functions, high cyclomatic number functions and loop structures. Second, dynamic taint analysis is introduced to identify the key bytes to reduce the input space. Third, the genetic algorithm fitness function is constructed based on the critical path information to guide the test case generation and the genetic operators are executed on the reduced input space. Experiments show that the method could obtain higher vulnerability detection accuracy and efficiency.

Hai-Feng Guo,Zongyan Qiu

DOI: https://doi.org/10.1002/spe.2278

2014-01-01

Abstract:SummaryGrammar‐based test generation provides a systematic approach to producing test cases from a given context‐free grammar. Unfortunately, naive grammar‐based test generation is problematic because of the fact that exhaustive random test case production is often explosive, and grammar‐based test generation with explicit annotation controls often causes unbalanced testing coverage. In this paper, we present an automatic grammar‐based test generation approach, which takes a symbolic grammar as input, requires zero control input from users, and produces well‐distributed test cases. Our approach utilizes a novel dynamic stochastic model where each variable is associated with a tuple of probability distributions, which are dynamically adjusted along the derivation. We further present a coverage tree illustrating the distribution of generated test cases and their detailed derivations. More importantly, the coverage tree supports various implicit derivation control mechanisms. We implemented this approach in a Java‐based system, named Gena. Each test case generated by Gena automatically comes with a set of structural features, which can play an important and effective role on automated failure causes localization. Experimental results demonstrate the effectiveness of our approach, the well‐balanced distribution of generated test cases over grammatical structures, and a case study on grammar‐based failure causes localization. Copyright © 2014 John Wiley & Sons, Ltd.

CHEN Yan-ling,ZHAO Jing

DOI: https://doi.org/10.3724/sp.j.1087.2011.02367

2011-01-01

Abstract:The record of the current taint analysis tool is not accurate.To solve this,dynamic taint analysis based on the virtual technology was studied and implemented.A virtualization based dynamic taint analysis framework was designed,and two kinds of taint signature models based on Hook technology and Hash-traversal technology were given respectively for memory taint and hard disk taint.A taint propagation strategy was put forward according to the instruction type which was classified by instruction encoding format of InterAMD,and a taint record strategy based on instruction filtering was given to solve the problem of redundant information records.The experimental results prove that the proposed method is effective,and can be well used in test case generation and vulnerability detection of fuzzy test.

Binhe Zhou,Qi Li,Bowen Sun,Yuangang Yao

DOI: https://doi.org/10.1145/3192975.3193005

2018-01-01

Abstract:At present, fuzzy test is one of the most common ways of software vulnerability mining. However, the pertinence of traditional fuzzy test is not strong enough, the coverage is too low. The traditional fuzzy test can't meet the demand of the safety requirements of industrial control systems. This paper is aimed at the characteristics of industrial terminal equipment. We use genetic algorithm to design variation function and improve the memory fuzzy test to detect vulnerabilities. Based on this paper, we can effectively implement the new vulnerability mining system for industrial control system terminal, and greatly shorten the excavation time.

Hai-Feng Guo,Zongyan Qiu

DOI: https://doi.org/10.1007/978-3-642-41707-8_2

2013-01-01

Abstract:In this paper, we present an automatic grammar-based test generation approach which takes a symbolic grammar as input, requires zero control input from users, and produces well-distributed test cases. Our approach utilizes a novel dynamic stochastic model where each variable is associated with a tuple of probability distributions, which are dynamically adjusted along the derivation. The adjustment is based on a tabling strategy to keep track of the recursion of each grammar variable. We further present a test generation coverage tree illustrating the distribution of generated test cases and their detailed derivations, more importantly, it provides various implicit balance control mechanisms. We implemented this approach in a Java-based system, named Gena. Experimental results demonstrate the effectiveness of our test generation approach and show the balanced distribution of generated test cases over grammatical structures. © IFIP International Federation for Information Processing 2013.

Yiru Zhao,Long Gao,Qihan Wan,Lei Zhao

DOI: https://doi.org/10.1016/j.jksuci.2024.101920

IF: 9.006

2024-01-11

Journal of King Saud University - Computer and Information Sciences

Abstract:In recent years, hybrid fuzzing has garnered significant attention by combining the benefits of both fuzzing and concolic execution. However, existing hybrid fuzzing techniques face problems such as the performance overhead of concolic execution and low code coverage in real-world programs. In this study, we observed that concolic execution often falls into repetitive loop structures when analyzing inputs generated by fuzzing, leading to the construction of redundant constraint expressions, which severely impacts its efficiency. Based on this observation, we design a test case trimming approach to remove input fields related to repetitive loop structures. We propose a lightweight taint analysis technique to infer input's grammatical structure and construct a hierarchical grammar tree. Then, through delta debugging, we identify nodes that do not affect the code coverage and remove the corresponding input fields. We implement a prototype ScissorFuzz . Experimental results show that our approach brings an average of 8.2% improvement in code coverage and triggers 115 more crashes compared to the state-of-the-art hybrid fuzzing technique QSYM. By eliminating redundant fields, our approach reduces the resource and time overhead associated with concolic execution during input processing, thereby enhancing the efficiency of hybrid fuzzing.

computer science, information systems

Hui Zhao,Xing Li,Keke Gai

DOI: https://doi.org/10.1007/978-3-031-28124-2_38

2022-01-01

Abstract:Due to the unique global state and transaction sequence characteristics of smart contracts, the detection method based on a single test case cannot improve the vulnerability detection rate during contract detection. The current contract testing methods based on genetic algorithms have not yet solved the problems caused by these characteristics. Therefore, we propose an adaptive fuzzing method based on dynamic taint analysis and genetic algorithm, SDTGfuzzer. SDTGfuzzer focuses on dynamic taint analysis to collect runtime information as feedback, and focuses on solving the challenges brought by global variables and transaction sequences for contract testing. Genetic Algorithms work well in test case generation for fuzzing. Therefore, SDTGfuzzer optimizes the genetic algorithm based on an efficient and lightweight multi-objective adaptive strategy, focusing on solving the problem that the contract constraints cannot be covered due to the global state. Experimental results show that our method has a higher vulnerability detection rate than other tools for detecting contract vulnerabilities.

Zhicheng Hu,Jianqi Shi,Yanhong Huang,Jiawen Xiong,Xiangxing Bu

DOI: https://doi.org/10.1145/3203217.3203241

2018-01-01

Abstract:In this paper, we attempt to improve industrial safety from the perspective of communication security. We leverage the protocol fuzzing technology to reveal errors and vulnerabilities inside implementations of industrial network protocols(INPs). Traditionally, to effectively conduct protocol fuzzing, the test data has to be generated under the guidance of protocol grammar, which is built either by interpreting the protocol specifications or reverse engineering from network traces. In this study, we propose an automated test case generation method, in which the protocol grammar is learned by deep learning. Generative adversarial network(GAN) is employed to train a generative model over real-world protocol messages to enable us to learn the protocol grammar. Then we can use the trained generative model to produce fake but plausible messages, which are promising test cases. Based on this approach, we present an automatical and intelligent fuzzing framework(GANFuzz) for testing implementations of INPs. Compared to prior work, GANFuzz offers a new way for this problem. Moreover, GANFuzz does not rely on protocol specification, so that it can be applied to both public and proprietary protocols, which outperforms many previous frameworks. We use GANFuzz to test several simulators of the Modbus-TCP protocol and find some errors and vulnerabilities.

Dan Luo,Tun Li,Liqian Chen,Hongji Zou,Mingchuan Shi

DOI: https://doi.org/10.1016/j.vlsi.2022.05.001

2022-05-15

Integration, the VLSI Journal

Abstract:Recently, agile hardware design (AHD) methodology has been proposed to alleviate the productivity crisis brought by the growing complexity of modern microprocessor design. One of the key techniques in AHD is the adoption of hardware construction languages (HCLs) which have greatly improved the design productivity. However, the adoption of HCLs arises new challenges to design verification. In this paper, we proposed an enhanced coverage-directed dynamic verification technique for microprocessor RTL designs modeled using PyRTL HCL. The intention of the proposed method is to achieve higher coverage in dynamic verification. The proposed method is a hybrid between symbolic simulation and grammar-based fuzz testing, which offsets the disadvantages of each separate technique. We define Full Multiplexer Toggle Coverage (FMTC) to trace and provide feedback to the verification process. The achievement of high coverage is obtained by interleaving symbolic simulation and grammar-based fuzz testing passes. The symbolic simulation pass is used to generate tests that direct the testing to untouched corners, while the grammar-based fuzz testing pass is used to leverage test generation tasks and to enable the method to deal with microprocessor designs with a specific instruction set architecture (ISA). In addition, to further reduce testing cost, we propose a test compression technique to compress the generated test instructions by dropping redundant instructions. Finally, we implement all the enhancements in a test generation tool, named MPFuzz . Experimental results show that MPFuzz can efficiently generate test instructions for microprocessor RTL designs. The test instructions generated by MPFuzz can achieve higher coverage at least four times than that by the state-of-the-art fuzzing-based RTL test generation tool.

Wanyou Lv,Jiawen Xiong,Jianqi Shi,Yanhong Huang,Shengchao Qin

DOI: https://doi.org/10.1007/s10845-020-01584-z

IF: 8.3

2020-05-23

Journal of Intelligent Manufacturing

Abstract:A growing awareness is brought that the safety and security of industrial control systems cannot be dealt with in isolation, and the safety and security of industrial control protocols (ICPs) should be considered jointly. Fuzz testing (fuzzing) for the ICP is a common way to discover whether the ICP itself is designed and implemented with flaws and network security vulnerability. Traditional fuzzing methods promote the safety and security testing of ICPs, and many of them have practical applications. However, most traditional fuzzing methods rely heavily on the specification of ICPs, which makes the test process a costly, time-consuming, troublesome and boring task. And the task is hard to repeat if the specification does not exist. In this study, we propose a smart and automated protocol fuzzing methodology based on improved deep convolution generative adversarial network and give a series of performance metrics. An automated and intelligent fuzzing framework BLSTM-DCNNFuzz for application is designed. Several typical ICPs, including Modbus and EtherCAT, are applied to test the effectiveness and efficiency of our framework. Experiment results show that our methodology outperforms the existing ones like General Purpose Fuzzer and other deep learning based fuzzing methods in convenience, effectiveness, and efficiency.

engineering, manufacturing,computer science, artificial intelligence

Bo Wu,Bin Zhang,Sha Meng Wen,Meng Jun Li,Quan Zhang,Chao Jing Tang

DOI: https://doi.org/10.4028/www.scientific.net/amm.571-572.539

2014-01-01

Applied Mechanics and Materials

Abstract:Traditional Fuzzing is simple and easy to deploy but inefficient due to different inputs usually execute the redundant path. In this paper, we put forward a binary-oriented Fuzzing technique based on input format analysis and dynamic taint analysis, which can detect vulnerability more efficient than traditional Fuzzing method. We implemented a prototype system called Smart and Directed Fuzz (SDFuzz), which first searches the locations where interested functions are called, then uses dynamic taint analysis technique to classify input data into safety-related data and safety-unrelated data, finally mutates safety-related data to direct the test procedure. The evaluation shows that our method can be used to detect vulnerabilities in binary software efficiently.

Heping Tang,Shuguang Huang,Yongliang Li,Lei Bao

DOI: https://doi.org/10.1109/ICCET.2010.5485224

2010-01-01

Abstract:Untrusted Data originating from network input and configuration files, causes many software security problems. Keeping track of the propagation of untrusted data in program runtime is the main idea of dynamic taint analysis for vulnerability exploits detection. In this method data from network user input and configuration files were labeled as taint. In virtue of data flow analysis we design taint propagating algorithm, and define several taint detection policies for security-critical function which used taint data in dangerous ways that could cause vulnerability exploit. A vulnerability exploit detection prototype system was implemented. In contrast to other taint analysis systems, our prototype system has higher accuracy and vulnerability exploits coverage and low workloads.

Junjie Chen,Ruifeng Fu,Zan Wang,Yingquan Zhao,Haojie Ye

DOI: https://doi.org/10.1145/3597926.3598077

2023-07-12

Abstract:Due to the critical role of compilers, many compiler testing techniques have been proposed, two most notable categories among which are grammar-based and metamorphic-based techniques. All of them have been extensively studied for testing mature compilers. However, it is typical to develop a new compiler for a new-born programming language in practice. In this scenario, the existing techniques are hardly applicable due to some major reasons: (1) no reference compilers to support differential testing, (2) lack of program analysis tools to support most of metamorphic-based compiler testing, (3) substantial implementation effort incurred by different programming language features. Hence, it is unknown how the existing techniques perform in this new scenario. In this work, we conduct the first exploration (i.e., an industrial case study) to investigate the performance of the existing techniques in this new scenario with substantial adaptations. We adapted grammar-based compiler testing to this scenario by synthesizing new test programs based on code snippets and using compilation crash as test oracle due to the lack of reference compilers for differential testing. We also adapted metamorphic-based compiler testing to this scenario by constructing equivalent test programs under any inputs to relieve the dependence on program analysis tools. We call the adapted techniques SynFuzz and MetaFuzz, respectively. We evaluated both SynFuzz and MetaFuzz on two versions of a new compiler for a new-born programming language in a global IT company. By comparing with the testing practice adopted by the testing team and the general fuzzer (AFL), SynFuzz can detect more bugs during the same testing time, and both SynFuzz and MetaFuzz can complement the other two techniques. In particular, SynFuzz and MetaFuzz have detected 11 previously unknown bugs, all of which have been fixed by the developers. From the industrial case study, we summarized a series of lessons and suggestions for practical use and future research.

Computer Science

Xing ZHANG,Chao FENG,Jing LEI,Chao-Jing TANG

DOI: https://doi.org/10.13328/j.cnki.jos.005493

2018-01-01

Abstract:GUI program's idle state usually causes low efficiency of fuzzing test.This paper tries to solve idle state detecting problem based on function trace by nature language processing method.It first analyzes the difficulties that traditional program analysis method faces in idle state detection,and then proposes an idle state detecting method based on Bi-Gram module and statistical analysis.Bi-Gram algorithm transforms the function trace of the GUI program to probabilistic characteristics sequence,then segregates the idle state probabilistic characteristics sequence from prgram's probabilistic characteristics by variance characteristics in idle state probabilistic characteristics sequence.The algoritnm finally extracts idle state features which applied to the real-time idle state detecting algorithm.Experiments of source code and binary program show that the new method is more efficient and accurate than traditional method.

Donglan Liu,Jianfei Chen,Xin Liu,Yingxian Chang,Zhenghao Li,Rui Wang,Hao Yu,Fangzhe Zhang,Honglei Yao,Hao Zhang

DOI: https://doi.org/10.1109/ICEIEC58029.2023.10199463

2023-01-01

Abstract:For many power terminal devices, firmware binary code can be extracted directly from the device by different methods. And the binary firmware program security test, so as to find the Internet of Things terminal device security vulnerabilities. In this paper, the intelligent fuzz testing technology for power Internet of Things terminal is studied. Firstly, the basic framework of binary dynamic piling is studied, and the bottleneck of the existing framework is analyzed. In order to improve the performance of firmware program in dynamic pile driving environment, a dynamic simulation and dynamic pile driving framework combining user level simulation and system level simulation are proposed. Based on this framework, the pile driving method oriented to program coverage and the pile driving method oriented to program vulnerability guidance are studied respectively, which provides support for cross-platform fuzz testing. Secondly, dynamic stain analysis techniques are studied from both offline and online aspects. The advantage of offline dynamic smudge analysis is that it can fine-grained how data is propagated in memory during program execution, and can assist in the generation of initial test seeds. The advantage of online dynamic blot analysis is that it does not affect the performance of simulation test, and can dynamically infer the relationship between input bytes and constraints, so as to guide fuzz testing to carry out targeted variation. Finally, the intelligent prediction model of program vulnerability points is studied to intelligently locate potential defects in binary firmware programs. In order to solve these potential defects, the fuzz testing based on program coverage and potential vulnerability guidance is used, and the particle swarm optimization algorithm is used to optimize.

Chen Chen,Bo Yu,Wenke Wang,Runhao Liu,Ke Yan

DOI: https://doi.org/10.1109/CECIT58139.2022.00015

2022-01-01

Abstract:Fuzzing has grown considerably in recent years but mainly focuses on programs that do not have a dedicated parsing phase. Applications with structured input (e.g., XML and Tcl) usually have a dedicated parsing phase to check the validity of the input. Furthermore, different applications with the same input structure will add custom rules of grammar during implementation, such as defining special tag names and tag hierarchies in XML. To fuzz these applications, most existing solutions rely on manually written grammar documents and a seed set containing all custom grammar. In this paper, we propose an inductive grammar discovery approach and develop a general fuzzing engine suitable for different applications using the same parser. Our fuzzing engine, FSFuzz, works in two steps. First, it performs lightweight instrumentation on the parser to extract features of the grammar. Then, it uses the extracted features to fuzz all applications based on this parser. We evaluated the effectiveness of FSFuzz on 4 real-life programs. The results show that FSFuzz automatically discovers all 278 custom grammar keywords; furthermore, compared with other mature existing tools (AFL and Superion), FSFuzz significantly improves code coverage (25% and 21.5% in line coverage, respectively, and 23.2% and 20.4% in branch coverage, respectively).

Zheng SONG,Yongjian WANG,Bo JIN,Jiuchuan LIN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.03.013

2016-01-01

Abstract:With the network security situation becoming increasingly worsening, detection technology that can timely and effectivly discover exploits and related advanced persistent threat(APT) attacks is of vital importance for network security. Dynamic taint analysis, which is one of the reliable exploit detection solutions, is a method that marks the non-trusted input source as tainted data, and tracks its spread with the execution of program to get the key position and data associated with the input. This paper ifrstly introduces the principle of dynamic taint analysis of binary programs and its development status in several typical systems, then analyzes existing problems with dynamic taint analysis of binary programs, and ifnally introduces the application of dynamic taint analysis. In this paper, the dynamic taint analysis technology of binary program is introduced in details, which is helpful to improve the network security protection level for important information system.