Yan Pan,Wei Lin,Liang Jiao,Yuefei Zhu

DOI: https://doi.org/10.1155/2022/6880677

IF: 1.968

2022-05-06

Security and Communication Networks

Abstract:The widely used network protocols play a crucial role in various systems. However, the protocol vulnerabilities caused by the design of the network protocol or its implementation by programmers lead to multiple security incidents and substantial losses. Hence, it is important to study the protocol fuzzing in order to ensure its correctness. However, the challenges of protocol fuzzing are the mutation of protocol messages and the deep interactivity of the protocol implementation. This paper proposes a model-based grey-box fuzzing approach for protocol implementations, including the server-side and client-side. The proposed method is divided into two phases: automata learning based on the minimally adequate teacher (MAT) framework and grey-box fuzzing guided by the learned model and code coverage. The StateFuzzer tool used for evaluation is presented to demonstrate the validity and feasibility of the proposed approach. The server-side fuzzing can achieve similar or higher code coverage and vulnerability discovery capability than those of AFLNET and StateAFL. Considering the client, the results show that it achieves 1.5X branch coverage (on average) compared with the default AFL, and 1.3X branch coverage compared with AFLNET and StateAFL, using the typical implementations such as OpenSSL, LibreSSL, and Live555. The StateFuzzer identifies a new memory corruption bug in Live555 (2021-08-25) and 14 distinct discrepancies based on differential testing.

computer science, information systems,telecommunications

Congxi Song,Bo Yu,Xu Zhou,Qiang Yang

DOI: https://doi.org/10.1109/access.2019.2895025

IF: 3.9

2019-01-01

IEEE Access

Abstract:In recent years, the fuzzing technology is widely used to detect the software vulnerabilities owing to the coverage improvement in the target program and the easiness of use. However, it is less efficient to fuzz the stateful protocols due to the difficulties like maintaining states and dependencies of messages. To address these challenges, we present SPFuzz, a framework for building flexible, coverage-guided stateful protocol fuzzing. We define a language in SPFuzz to describe the protocol specifications, protocol states transitions and dependencies for generating valuable test cases, maintaining correct messages in session states and handling protocol dependencies by updating message data in time. The SPFuzz adopts a three-level mutation strategy, namely head, content, and sequence mutation strategy to drive the fuzzing process to cover more paths, in conjunction with the method to randomly assign weights to messages and strategies. We use the following metrics to evaluate the performance of SPFuzz and other frameworks upon three protocol implementations, i.e., Proftpd, Oftpd, and OpenSSL, which are three-granularity coverages specifically function, basic block, and edge. In experiments, the SPFuzz framework outperforms the existing stateful protocol fuzzing tool Boofuzz by an average of 69.12% in three granularities coverage tests. This demonstrates that the SPFuzz has the ability to explore more and deeper paths of the target program. We further triggered CVE-2015-0291 in OpenSSL 1.0.2 with the SPFuzz, which proves the validity and utility of our framework.

Liu Yu,Shen Yanlong,Zhou Ying

2024-08-13

Abstract:Stateful Coverage-Based Greybox Fuzzing (SCGF) is considered the state-of-the-art method for network protocol greybox fuzzing. During the protocol fuzzing process, SCGF constructs the state machine of the target protocol by identifying protocol states. Optimal states are selected for fuzzing using heuristic methods, along with corresponding seeds and mutation regions, to effectively conduct fuzz testing. Nevertheless, existing SCGF methodologies prioritise the selection of protocol states without considering the correspondence between program basic block coverage information and protocol states. To address this gap, this paper proposes a statemap-based reverse state selection method for SCGF. This approach prioritises the coverage information of fuzzy test seeds, and delves deeper into the correspondence between the basic block coverage information of the programme and the protocol state, with the objective of improving the bitmap coverage. The state map is employed to simplify the state machine representation method. Furthermore, the design of different types of states has enabled the optimisation of the method of constructing message sequences, the reduction in the length of message sequences further improve the efficiency of test case execution. By optimising the SCGF, we developed SMGFuzz and conducted experiments utilising Profuzzbench in order to assess the testing efficiency of SMGFuzz.The results indicate that compared to AFLNet, SMGFuzz achieved an average increase of 12.48% in edges coverage, a 50.1% increase in unique crashes and a 40.2% increase in test case execution speed over a period of 24 hours.

Cryptography and Security

Xiaohan Zhang,Cen Zhang,Xinghua Li,Zhengjie Du,Bing Mao,Yuekang Li,Yaowen Zheng,Yeting Li,Li Pan,Yang Liu,Robert Deng

DOI: https://doi.org/10.1145/3696788

IF: 16.6

2024-10-12

ACM Computing Surveys

Abstract:Communication protocols form the bedrock of our interconnected world, yet vulnerabilities within their implementations pose significant security threats. Recent developments have seen a surge in fuzzing-based research dedicated to uncovering these vulnerabilities within protocol implementations. However, there still lacks a systematic overview of protocol fuzzing for answering the essential questions such as what the unique challenges are, how existing works solve them, and so on. To bridge this gap, we conducted a comprehensive investigation of related works from both academia and industry. Our study includes a detailed summary of the specific challenges in protocol fuzzing and provides a systematic categorization and overview of existing research efforts. Furthermore, we explore and discuss potential future research directions in protocol fuzzing.

computer science, theory & methods

Shihao Jiang,Yu Zhang,Junqiang Li,Hongfang Yu,Long Luo,Gang Sun

2024-02-27

Abstract:As one of the most successful and effective software testing techniques in recent years, fuzz testing has uncovered numerous bugs and vulnerabilities in modern software, including network protocol software. In contrast to other fuzzing targets, network protocol software exhibits its distinct characteristics and challenges, introducing a plethora of research questions that need to be addressed in the design and implementation of network protocol fuzzers. While some research work has evaluated and systematized the knowledge of general fuzzing techniques at a high level, there is a lack of similar analysis and summarization for fuzzing research specific to network protocols. This paper offers a comprehensive exposition of network protocol software's fuzzing-related features and conducts a systematic review of some representative advancements in network protocol fuzzing since its inception. We summarize state-of-the-art strategies and solutions in various aspects, propose a unified protocol fuzzing process model, and introduce the techniques involved in each stage of the model. At the same time, this paper also summarizes the promising research directions in the landscape of protocol fuzzing to foster exploration within the community for more efficient and intelligent modern network protocol fuzzing techniques.

Networking and Internet Architecture

Senyi Li,Junqiang Li,Jingxuan Fu,Mingwu Xue,Hongfang Yu,Gang Sun

DOI: https://doi.org/10.1109/ucet54125.2021.9674965

2021-01-01

Abstract:Fuzzing is one of the most successful techniques for protocol implementation security analysis and vulnerability discovery. Greybox fuzzing for network protocol has become a popular area for its high efficiency. However, present fuzzers are suffering performance drop as they pay no or not enough attention to network protocol specification. To be more detailed, unconstrained mutation and illegal state transition lead to low pass rate for messages. We analyzed present popular fuzzers and found that most fuzzers generate low quality messages that would be rejected by target program even at the beginning. To overcome this problem, we proposed a novel fuzzing approach which contains constrained message mutation and more efficient state chain searching algorithm based on network protocol specification. Our 24 hours experiments demonstrated that our approach outperforms the popular protocol fuzzing tool in both pass rate(at least 9.3%) and edge coverage(at least 12.1%).

Yisen Wang,Weiyu Dong,Zicong Gao,Rui Chang

DOI: https://doi.org/10.1002/cpe.5756

2020-04-08

Abstract:Fuzzing is an effective approach to detect software vulnerabilities utilizing changeable generated inputs. However, fuzzing the network protocol on the firmware of IoT devices is limited by inefficiency of test case generation, cross‐architecture instrumentation, and fault detection. In this article, we propose the Fw‐fuzz, a coverage‐guided and crossplatform framework for fuzzing network services running in the context of firmware on embedded architectures, which can generate more valuable test cases by introspecting program runtime information and using a genetic algorithm model. Specifically, we propose novel dynamic instrumentation in Fw‐fuzz to collect the running state of the firmware program. Then Fw‐fuzz adopts a genetic algorithm model to guide the generation of inputs with high code coverage. We fully implement the prototype system of Fw‐fuzz and conduct evaluations on network service programs of various architectures in MIPS, ARM, and PPC. By comparing with the protocol fuzzers Boofuzz and Peach in metrics of edge coverage, our prototype system achieves an average growth of 33.7% and 38.4%, respectively. We further verify six known vulnerabilities and discover 5 0‐day vulnerabilities with the Fw‐fuzz, which prove the validity and utility of our framework. The overhead of our system expressed as an additional 5% of memory growth.

Computer Science,Engineering

Fan Hu,Jiangan Ji,Hui Shu,Zheming Li,Tieming Liu,Chao Zhang

DOI: https://doi.org/10.1109/icst60714.2024.00022

2024-01-01

Abstract:The TLS protocol is one of the most crucial foundations for ensuring internet security. Consequently, vulnerabilities within the TLS protocol have a significant impact on the Internet security. This paper aims to explore more efficient methods of discovering vulnerabilities in the TLS protocol. Fuzzing stands out as one of the most important techniques for vulnerability discovery in the TLS protocol. To tackle the high complexity of the TLS protocol, stateful greybox fuzzers such as AFLnet have been introduced to enable stateful fuzzing of TLS servers. However, these mutation-based fuzzers often encounter chal-lenges in preserving the message format information during the mutation process, which can undermine the testing results. As a result, this paper proposes a novel approach that incorporates a formatted mutation strategy into the stateful greybox fuzzing process, with the aim of achieving more efficient mutation results. The evaluation process involves four mainstream fuzzers, with OpenSSL's TLS server serving as the target. The results demonstrate that the proposed method significantly enhances the quality of generated seeds, code coverage, and state coverage across all four fuzzers.

Bo Yu,Lei Zhou,Chengnuo Cai,Qiang Yang,Yaojia Yang,Runhao Liu,Lei Luo,Wenyu Long,Lianghua Gong

DOI: https://doi.org/10.1109/icws62655.2024.00139

2024-01-01

Abstract:Fuzzing network protocols is challenging due to their various factors including syntax, state transition, and even conformation of its executable software. To achieve better convenience of platform development and effectiveness of individual protocol testing, current grey-box fuzzing approaches generally focus on limited factors. However, it leaves poor performance on real-world services’s protocol evaluation since it requires significant additional adaptation efforts to accommodate the diversity of protocol software. To address this issue, we present FuzzFabric, a scalable grey-box fuzzing framework designed for polymorphic protocol services. FuzzFabric decouples existing fuzzing engines and modular programs the protocol processing adapters, and finally adaptive assembles fuzzing engine to evaluate different network protocol services. We implemented FuzzFabric on top of AFLNet, supporting 3 different protocol types and 4 instrumentation tools, and conducted experiments using 11 real-world protocol applications. The results demonstrate that FuzzFabric can effectively fuzz protocols in different forms with various instrumentation, validating its practical efficacy and scalability.

Zhaowei Zhang,Hongzheng Zhang,Jinjing Zhao,Yanfei Yin

DOI: https://doi.org/10.3390/electronics12132904

IF: 2.9

2023-07-02

Electronics

Abstract:Network protocols, as the communication rules among computer network devices, are the foundation for the normal operation of networks. However, security issues arising from design flaws and implementation vulnerabilities in network protocols pose significant risks to network operations and security. Network protocol fuzzing is an effective technique for discovering and mitigating security flaws in network protocols. It offers unparalleled advantages compared to other security analysis techniques thanks to the minimal requirement for prior knowledge of the target and low deployment complexity. Nevertheless, the randomness in test case generation, uncontrollable test coverage, and unstable testing efficiency introduce challenges in ensuring the controllability of the testing process and results. In order to comprehensively survey the development of network protocol fuzzing techniques and analyze their advantages and existing issues, in this paper, we categorized and summarized the protocol fuzzing and its related techniques based on the generation methods of test cases and testing conditions. Specifically, we overviewed the development trajectory and patterns of these techniques over the past two decades according to chronological order. Based on this analysis, we further predict the future directions of fuzzing techniques.

engineering, electrical & electronic,computer science, information systems,physics, applied

Bodong Zhao,Zheming Li,Shisong Qin,Zheyu Ma,Ming Yuan,Wenyu Zhu,Zhihong Tian,Chao Zhang

2022-01-01

Abstract:Coverage-guided fuzzing has achieved great success in finding software vulnerabilities. Existing coverage-guided fuzzers generally favor test cases that hit new code, and discard ones that exercise the same code. However, such a strategy is not optimum. A new test case exercising the same code could be better than a previous test case, as it may trigger new program states useful for code exploration and bug discovery. In this paper, we assessed the limitation of coverage-guided fuzzing solutions and proposed a state-aware fuzzing solution StateFuzz to address this issue. First, we model program states with values of state-variables and utilize static analysis to recognize such variables. Then, we instrument target programs to track such variables' values and infer program state transition at runtime. Lastly, we utilize state information to prioritize test cases that can trigger new states, and apply a three-dimension feedback mechanism to fine-tune the evolutionary direction of coverage-guided fuzzers. We have implemented a prototype of StateFuzz, and evaluated it on Linux upstream drivers and Android drivers. Evaluation results show that StateFuzz is effective at discovering both new code and vulnerabilities. It finds 18 unknown vulnerabilities and 2 known but unpatched vulnerabilities, and reaches 19% higher code coverage and 32% higher state coverage than the state-of-the-art fuzzer Syzkaller.

Junqiang Li,Senyi Li,Gang Sun,Ting Chen,Hongfang Yu

DOI: https://doi.org/10.1109/tifs.2022.3192991

IF: 7.231

2022-08-02

IEEE Transactions on Information Forensics and Security

Abstract:Greybox fuzzing has been widely used in stateless programs and has achieved great success. However, most state-of-the-art greybox fuzzers have slow speed and shallow state depth coverage in fuzzing stateful network protocol programs, which are able to remember and store the details of interactions. The existing greybox fuzzers for network protocol programs first send a series of well-defined prefix sequences of input messages and then send mutated messages to test the target state of a stateful network protocol. This process leads to a high time cost. In this paper, we propose SNPSFuzzer, a fast greybox fuzzer for stateful network protocols using snapshots. SNPSFuzzer dumps the context information when the network protocol program is in a specific state and restores it when the state needs to be fuzzed. Furthermore, we design a message chain analysis algorithm to explore more and deeper network protocol states. Our evaluation shows that compared with the state-of-the-art network protocol greybox fuzzer AFLNET, SNPSFuzzer improves the message processing speed of network protocol fuzzing by 70.7% and increases the path coverage by 20.9% on average within 24 hours. Moreover, SNPSFuzzer exposes a previously unreported vulnerability in the program Tinydtls.

computer science, theory & methods,engineering, electrical & electronic

Mingjie Cheng,Kailong Zhu,Yuanchao Chen,Guozheng Yang,Yuliang Lu,Canju Lu

DOI: https://doi.org/10.3390/electronics13132632

IF: 2.9

2024-01-01

Electronics

Abstract:Network protocol implementations, as integral components of information communication, are critically important for security. Due to its efficiency and automation, fuzzing has become a popular method for protocol security detection. However, the existing protocol-fuzzing techniques face the critical problem of generating high-quality inputs. To address the problem, in this paper, we propose MSFuzz, which is a protocol-fuzzing method with message syntax comprehension. The core observation of MSFuzz is that the source code of protocol implementations contains detailed and comprehensive knowledge of the message syntax. Specifically, we leveraged the code-understanding capabilities of large language models to extract the message syntax from the source code and construct message syntax trees. Then, using these syntax trees, we expanded the initial seed corpus and designed a novel syntax-aware mutation strategy to guide the fuzzing. To evaluate the performance of MSFuzz, we compared it with the state-of-the-art (SOTA) protocol fuzzers, namely, AFLNET and CHATAFL. Experimental results showed that compared with AFLNET and CHATAFL, MSFuzz achieved average improvements of 22.53% and 10.04% in the number of states, 60.62% and 19.52% improvements in the number of state transitions, and 29.30% and 23.13% improvements in branch coverage. Additionally, MSFuzz discovered more vulnerabilities than the SOTA fuzzers.

Yingpei Zeng,Mingmin Lin,Shanqing Guo,Yanzhao Shen,Tingting Cui,Ting Wu,Qiuhua Zheng,Qiuhua Wang

DOI: https://doi.org/10.3390/s20185194

IF: 3.9

2020-09-11

Sensors

Abstract:The publish/subscribe model has gained prominence in the Internet of things (IoT) network, and both Message Queue Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) support it. However, existing coverage-based fuzzers may miss some paths when fuzzing such publish/subscribe protocols, because they implicitly assume that there are only two parties in a protocol, which is not true now since there are three parties, i.e., the publisher, the subscriber and the broker. In this paper, we propose MultiFuzz, a new coverage-based multiparty-protocol fuzzer. First, it embeds multiple-connection information in a single input. Second, it uses a message mutation algorithm to stimulate protocol state transitions, without the need of protocol specifications. Third, it uses a new desockmulti module to feed the network messages into the program under test. desockmulti is similar to desock (Preeny), a tool widely used by the community, but it is specially designed for fuzzing and is 10x faster. We implement MultiFuzz based on AFL, and use it to fuzz two popular projects Eclipse Mosquitto and libCoAP. We reported discovered problems to the projects. In addition, we compare MultiFuzz with AFL and two state-of-the-art fuzzers, MOPT and AFLNET, and find it discovering more paths and crashes.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Dongge Liu,Van-Thuan Pham,Gidon Ernst,Toby Murray,Benjamin I.P. Rubinstein

DOI: https://doi.org/10.48550/arXiv.2112.15498

2022-01-07

Abstract:The statefulness property of network protocol implementations poses a unique challenge for testing and verification techniques, including Fuzzing. Stateful fuzzers tackle this challenge by leveraging state models to partition the state space and assist the test generation process. Since not all states are equally important and fuzzing campaigns have time limits, fuzzers need effective state selection algorithms to prioritize progressive states over others. Several state selection algorithms have been proposed but they were implemented and evaluated separately on different platforms, making it hard to achieve conclusive findings. In this work, we evaluate an extensive set of state selection algorithms on the same fuzzing platform that is AFLNet, a state-of-the-art fuzzer for network servers. The algorithm set includes existing ones supported by AFLNet and our novel and principled algorithm called AFLNetLegion. The experimental results on the ProFuzzBench benchmark show that (i) the existing state selection algorithms of AFLNet achieve very similar code coverage, (ii) AFLNetLegion clearly outperforms these algorithms in selected case studies, but (iii) the overall improvement appears insignificant. These are unexpected yet interesting findings. We identify problems and share insights that could open opportunities for future research on this topic.

Software Engineering,Cryptography and Security,Machine Learning

Zhengxiong Luo,Junze Yu,Feilong Zuo,Jianzhong Liu,Yu Jiang,Ting Chen,Abhik Roychoudhury,Jiaguang Sun

2023-01-01

Abstract:Protocol implementations are essential components in network infrastructures. Flaws hidden in the implementations can easily render devices vulnerable to adversaries. Therefore, guaranteeing their correctness is important. However, commonly used vulnerability detection techniques, such as fuzz testing, face increasing challenges in testing these implementations due to ineffective feedback mechanisms and insufficient protocol state-space exploration techniques. This paper presents BLEEM, a packet-sequence-oriented black-box fuzzer for vulnerability detection of protocol implementations. Instead of focusing on individual packet generation, BLEEM generates packets on a sequence level. It provides an effective feedback mechanism by analyzing the system output sequence noninvasively, supports guided fuzzing by resorting to state-space tracking that encompasses all parties timely, and utilizes interactive traffic information to generate protocol-logic-aware packet sequences. We evaluate BLEEM on 15 widely-used implementations of well-known protocols (e.g., TLS and QUIC). Results show that, compared to the state-of-the-art protocol fuzzers such as Peach, BLEEM achieves substantially higher branch coverage (up to 174.93% improvement) within 24 hours. Furthermore, BLEEM exposed 15 security-critical vulnerabilities in prominent protocol implementations, with 10 CVEs assigned.

Zhengxiong Luo,Zhe Liu,Yu Jiang,Junze Yu,Feilong Zuo

DOI: https://doi.org/10.1109/DAC18074.2021.9586321

2021-12-05

Abstract:The rapid development of in-vehicle networks and protocols brings efficient communication service but also increases the risk of attack. Any vulnerability may be leveraged to cause serious consequences. It is of vital importance to guarantee their security. However, the vulnerability detection efficiency of traditional techniques such as fuzzing is challenged by the complex relations among protocol states.In this paper, we propose PAVFuzz, a state-sensitive fuzz testing framework to secure those protocols used in autonomous vehicles. It automatically learns relations between two data elements in different protocol states. The relations will then be used to calculate and update the mutation weight of each data element continuously. Accordingly, PAVFuzz is able to select the target data elements and perform state-sensitive mutation to boost the efficiency. Experiments show that, compared with state-of-the-art fuzzers Peach and AFL, PAVFuzz increases branch coverage by averagely 22.51% and 369.19% within 24 hours. It has successfully exposed 12 serious previously unknown vulnerabilities among several protocols that are widely used in autonomous vehicles, such as RTPS and SOME/IP. We have reported them to the developers and corresponding patches have been released.

Engineering,Computer Science

Roberto Natella

DOI: https://doi.org/10.1007/s10664-022-10233-3

2022-10-04

Abstract:Fuzzing network servers is a technical challenge, since the behavior of the target server depends on its state over a sequence of multiple messages. Existing solutions are costly and difficult to use, as they rely on manually-customized artifacts such as protocol models, protocol parsers, and learning frameworks. The aim of this work is to develop a greybox fuzzer (StateaAFL) for network servers that only relies on lightweight analysis of the target program, with no manual customization, in a similar way to what the AFL fuzzer achieved for stateless programs. The proposed fuzzer instruments the target server at compile-time, to insert probes on memory allocations and network I/O operations. At run-time, it infers the current protocol state of the target server by taking snapshots of long-lived memory areas, and by applying a fuzzy hashing algorithm (Locality-Sensitive Hashing) to map memory contents to a unique state identifier. The fuzzer incrementally builds a protocol state machine for guiding fuzzing. We implemented and released StateaAFL as open-source software. As a basis for reproducible experimentation, we integrated StateaAFL with a large set of network servers for popular protocols, with no manual customization to accomodate for the protocol. The experimental results show that the fuzzer can be applied with no manual customization on a large set of network servers for popular protocols, and that it can achieve comparable, or even better code coverage and bug detection than customized fuzzing. Moreover, our qualitative analysis shows that states inferred from memory better reflect the server behavior than only using response codes from messages.

Cryptography and Security,Operating Systems,Software Engineering

Ke Yan,Bo Yu,Yong Tang,Xiangdong Kong,Chen,Jin Lei

DOI: https://doi.org/10.1109/dsc55868.2022.00060

2022-01-01

Abstract:Fuzzing is one of the most popular software analysis techniques for discovering vulnerabilities. Different from common terminal software, servers should be interacted with well-formed message that conforms to protocol specifications to exercise more functions. However, without protocol specifications, random bit flipping is unlikely to generate valid messages, making fuzzing struggle to traverse the deeper branches of the program. What’s more, manually extracting specifications is typically labor-intensive. In this paper, we present NAFuzzer, a format-aware fuzzing framework for network protocol software. Based on the key insight that similar message fields being parsed at similar locations in the program, NAFuzzer collects constraints of message handling process using replay-based concolic execution, then runs Loop Mapping algorithm to infer the protocol format, and finally uses the format information to generate seeds and perform fuzzing. We implemented and evaluated NAFuzzer on 6 real-world protocol software (LightFTP, Exim, Live555, NetSNMP, Dnsmasq, TinyHTTPd). The results show that NAFuzzer can extract the message formats of six protocol software with a field recognition accuracy of close to 90%. In fuzzing, it achieves higher branch coverage (up to 27.3%) and discovers more paths (up to 38.2%) compared to state-of-the-art fuzzers without any manual involvement.