Ruiyang Ma,Jiayi Huang,Shijian Zhang,Yuan Xie,Guojie Luo

DOI: https://doi.org/10.1109/tcad.2024.3430195

IF: 2.9

2024-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Network-on-Chip (NoC) has surfaced as a crucial interconnection strategy in modern digital systems, thereby demanding meticulous verification. Due to its multiple nodes and high concurrency, verifying a NoC is labor-intensive, making it complex to generate a multitude of test cases. Recently, hardware fuzzing has been identified as a promising automated approach for hardware verification. However, when we tried to apply these fuzzing techniques to our internally developed NoC design, we discovered that they were incompatible with the specificities of NoC. Additionally, they are also incompatible with the standard IC verification workflow and Universal Verification Methodology (UVM) environment. In this work, we aim to automate our verification process of NoC with fuzzing. We propose a fuzzing strategy specifically tailored for industrial NoC UVM verification. We employ fuzzing in NoC verification at multiple levels, including router verification, network verification and stress testing. As a case study we apply our approach to an open-source NoC component in OpenPiton. Remarkably, our fuzzing methods automatically achieved complete code and functional coverage in the router and mesh network. We also effectively detect injected starvation bugs with fuzzing. The evaluation results clearly demonstrate the practicability of our fuzzing approach to considerably reduce the manpower required for test case generation compared with traditional NoC verification.

Fan Zhang,Qianmei Wu,Bohan Xuan,Yuqi Chen,Wei Lin,Christopher M. Poskitt,Jun Sun,Binbin Chen

DOI: https://doi.org/10.1109/tse.2023.3309330

2020-01-01

Abstract:Cyber-physical systems (CPSs) automating critical public infrastructure face a pervasive threat of attack, motivating research into different types of countermeasures. Assessing the effectiveness of these countermeasures is challenging, however, as benchmarks are difficult to construct manually, existing automated testing solutions often make unrealistic assumptions, and blindly fuzzing is ineffective at finding attacks due to the enormous search spaces and resource requirements. In this work, we propose active sensor fuzzing , a fully automated approach for building test suites without requiring any a prior knowledge about a CPS. Our approach employs active learning techniques. Applied to a real-world water treatment system, our approach manages to find attacks that drive the system into 15 different unsafe states involving water flow, pressure, and tank levels, including nine that were not covered by an established attack benchmark. Furthermore, we successfully generate targeted multi-point attacks which have been long suspected to be possible. We reveal that active sensor fuzzing successfully extends the attack benchmarks generated by our previous work, an ML-guided fuzzing tool, with two more kinds of attacks. Finally, we investigate the impact of active learning on models and the reason that the model trained with active learning is able to discover more attacks.

Shihao Jiang,Yu Zhang,Junqiang Li,Hongfang Yu,Long Luo,Gang Sun

2024-02-27

Abstract:As one of the most successful and effective software testing techniques in recent years, fuzz testing has uncovered numerous bugs and vulnerabilities in modern software, including network protocol software. In contrast to other fuzzing targets, network protocol software exhibits its distinct characteristics and challenges, introducing a plethora of research questions that need to be addressed in the design and implementation of network protocol fuzzers. While some research work has evaluated and systematized the knowledge of general fuzzing techniques at a high level, there is a lack of similar analysis and summarization for fuzzing research specific to network protocols. This paper offers a comprehensive exposition of network protocol software's fuzzing-related features and conducts a systematic review of some representative advancements in network protocol fuzzing since its inception. We summarize state-of-the-art strategies and solutions in various aspects, propose a unified protocol fuzzing process model, and introduce the techniques involved in each stage of the model. At the same time, this paper also summarizes the promising research directions in the landscape of protocol fuzzing to foster exploration within the community for more efficient and intelligent modern network protocol fuzzing techniques.

Networking and Internet Architecture

Jingda Yang,Sudhanshu Arya,Ying Wang

2023-07-21

Abstract:Softwarization and virtualization in 5G and beyond necessitate thorough testing to ensure the security of critical infrastructure and networks, requiring the identification of vulnerabilities and unintended emergent behaviors from protocol designs to their software stack implementation. To provide an efficient and comprehensive solution, we propose a novel and first-of-its-kind approach that connects the strengths and coverage of formal and fuzzing methods to efficiently detect vulnerabilities across protocol logic and implementation stacks in a hierarchical manner. We design and implement formal verification to detect attack traces in critical protocols, which are used to guide subsequent fuzz testing and incorporate feedback from fuzz testing to broaden the scope of formal verification. This innovative approach significantly improves efficiency and enables the auto-discovery of vulnerabilities and unintended emergent behaviors from the 3GPP protocols to software stacks. Following this approach, we discover one identifier leakage model, one DoS attack model, and two eavesdrop attack models due to the absence of rudimentary MITM protection within the protocol, despite the existence of a Transport Layer Security (TLS) solution to this issue for over a decade. More remarkably, guided by the identified formal analysis and attack models, we exploit 61 vulnerabilities using fuzz testing demonstrated on srsRAN platforms. These identified vulnerabilities contribute to fortifying protocol-level assumptions and refining the search space. Compared to state-of-the-art fuzz testing, our united formal and fuzzing methodology enables auto-assurance by systematically discovering vulnerabilities. It significantly reduces computational complexity, transforming the non-practical exponential growth in computational cost into linear growth.

Cryptography and Security

Zhaowei Zhang,Hongzheng Zhang,Jinjing Zhao,Yanfei Yin

DOI: https://doi.org/10.3390/electronics12132904

IF: 2.9

2023-07-02

Electronics

Abstract:Network protocols, as the communication rules among computer network devices, are the foundation for the normal operation of networks. However, security issues arising from design flaws and implementation vulnerabilities in network protocols pose significant risks to network operations and security. Network protocol fuzzing is an effective technique for discovering and mitigating security flaws in network protocols. It offers unparalleled advantages compared to other security analysis techniques thanks to the minimal requirement for prior knowledge of the target and low deployment complexity. Nevertheless, the randomness in test case generation, uncontrollable test coverage, and unstable testing efficiency introduce challenges in ensuring the controllability of the testing process and results. In order to comprehensively survey the development of network protocol fuzzing techniques and analyze their advantages and existing issues, in this paper, we categorized and summarized the protocol fuzzing and its related techniques based on the generation methods of test cases and testing conditions. Specifically, we overviewed the development trajectory and patterns of these techniques over the past two decades according to chronological order. Based on this analysis, we further predict the future directions of fuzzing techniques.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ruiyang Ma,Huatao Zhao,Jiayi Huang,Shijian Zhang,Guojie Luo

DOI: https://doi.org/10.23919/date58400.2024.10546548

2024-01-01

Abstract:We endeavor to make hardware fuzzing compatible with the standard IC development process and apply that to NoC verification in a real-world industrial environment. We systematically employ fuzzing throughout the entire NoC verification process, including router verification, network verification, and stress testing. As a case study, we apply our approach to an open-source NoC component in OpenPiton. Remarkably, our fuzzing methods automatically achieved complete code and functional coverage in the router and mesh network, and effectively detect injected starvation bugs. The evaluation results clearly demonstrate the practicability of our fuzzing approach to considerably reduce the manpower required for test case generation compared with traditional NoC verification.

Zhengxiong Luo,Zhe Liu,Yu Jiang,Junze Yu,Feilong Zuo

DOI: https://doi.org/10.1109/DAC18074.2021.9586321

2021-12-05

Abstract:The rapid development of in-vehicle networks and protocols brings efficient communication service but also increases the risk of attack. Any vulnerability may be leveraged to cause serious consequences. It is of vital importance to guarantee their security. However, the vulnerability detection efficiency of traditional techniques such as fuzzing is challenged by the complex relations among protocol states.In this paper, we propose PAVFuzz, a state-sensitive fuzz testing framework to secure those protocols used in autonomous vehicles. It automatically learns relations between two data elements in different protocol states. The relations will then be used to calculate and update the mutation weight of each data element continuously. Accordingly, PAVFuzz is able to select the target data elements and perform state-sensitive mutation to boost the efficiency. Experiments show that, compared with state-of-the-art fuzzers Peach and AFL, PAVFuzz increases branch coverage by averagely 22.51% and 369.19% within 24 hours. It has successfully exposed 12 serious previously unknown vulnerabilities among several protocols that are widely used in autonomous vehicles, such as RTPS and SOME/IP. We have reported them to the developers and corresponding patches have been released.

Engineering,Computer Science

Yu Zhang,Nanyu Zhong,Wei You,Yanyan Zou,Kunpeng Jian,Jiahuan Xu,Jian Sun,Baoxu Liu,Wei Huo

DOI: https://doi.org/10.1186/s42400-022-00120-1

2022-11-02

Abstract:Network function virtualization provides programmable in-network middlewares by leveraging virtualization technologies and commodity hardware and has gained popularity among all mainstream network device manufacturers. Yet it is challenging to apply coverage-guided fuzzing, one of the state-of-the-art vulnerability discovery approaches, to those virtualized network devices, due to inevitable integrity protection adopted by those devices. In this paper, we propose a coverage-guided fuzzing framework NDFuzz for virtualized network devices with a novel integrity protection bypassing method, which is able to distinguish processes of virtualized network devices from hypervisors with a carefully designed non-intrusive page global directory inference technique. We implement NDFuzz atop of two black-box fuzzers and evaluate NDFuzz with three representative network protocols, SNMP , DHCP and NTP , on nine popular virtualized network devices. NDFuzz obtains an average 36% coverage improvement in comparison with its black-box counterparts. NDFuzz discovers 2 0-Day vulnerabilities and 1 1-Day vulnerability with coverage guidance while the black-box fuzzer can find only one of them. All discovered vulnerabilities are confirmed by corresponding vendors.

computer science, information systems, interdisciplinary applications, software engineering

Wanyou Lv,Jiawen Xiong,Jianqi Shi,Yanhong Huang,Shengchao Qin

DOI: https://doi.org/10.1007/s10845-020-01584-z

IF: 8.3

2020-05-23

Journal of Intelligent Manufacturing

Abstract:A growing awareness is brought that the safety and security of industrial control systems cannot be dealt with in isolation, and the safety and security of industrial control protocols (ICPs) should be considered jointly. Fuzz testing (fuzzing) for the ICP is a common way to discover whether the ICP itself is designed and implemented with flaws and network security vulnerability. Traditional fuzzing methods promote the safety and security testing of ICPs, and many of them have practical applications. However, most traditional fuzzing methods rely heavily on the specification of ICPs, which makes the test process a costly, time-consuming, troublesome and boring task. And the task is hard to repeat if the specification does not exist. In this study, we propose a smart and automated protocol fuzzing methodology based on improved deep convolution generative adversarial network and give a series of performance metrics. An automated and intelligent fuzzing framework BLSTM-DCNNFuzz for application is designed. Several typical ICPs, including Modbus and EtherCAT, are applied to test the effectiveness and efficiency of our framework. Experiment results show that our methodology outperforms the existing ones like General Purpose Fuzzer and other deep learning based fuzzing methods in convenience, effectiveness, and efficiency.

engineering, manufacturing,computer science, artificial intelligence

Yisen Wang,Weiyu Dong,Zicong Gao,Rui Chang

DOI: https://doi.org/10.1002/cpe.5756

2020-04-08

Abstract:Fuzzing is an effective approach to detect software vulnerabilities utilizing changeable generated inputs. However, fuzzing the network protocol on the firmware of IoT devices is limited by inefficiency of test case generation, cross‐architecture instrumentation, and fault detection. In this article, we propose the Fw‐fuzz, a coverage‐guided and crossplatform framework for fuzzing network services running in the context of firmware on embedded architectures, which can generate more valuable test cases by introspecting program runtime information and using a genetic algorithm model. Specifically, we propose novel dynamic instrumentation in Fw‐fuzz to collect the running state of the firmware program. Then Fw‐fuzz adopts a genetic algorithm model to guide the generation of inputs with high code coverage. We fully implement the prototype system of Fw‐fuzz and conduct evaluations on network service programs of various architectures in MIPS, ARM, and PPC. By comparing with the protocol fuzzers Boofuzz and Peach in metrics of edge coverage, our prototype system achieves an average growth of 33.7% and 38.4%, respectively. We further verify six known vulnerabilities and discover 5 0‐day vulnerabilities with the Fw‐fuzz, which prove the validity and utility of our framework. The overhead of our system expressed as an additional 5% of memory growth.

Computer Science,Engineering

Jingda Yang,Ying Wang

DOI: https://doi.org/10.48550/arXiv.2307.05758

2023-07-12

Abstract:Softwarization and virtualization in 5G and beyond require rigorous testing against vulnerabilities and unintended emergent behaviors for critical infrastructure and network security assurance. Formal methods operates efficiently in protocol-level abstract specification models, and fuzz testing offers comprehensive experimental evaluation of system implementations. In this paper, we propose a novel framework that leverages the respective advantages and coverage of both formal and fuzzing methods to efficiently detect vulnerabilities from protocol logic to implementation stacks hierarchically. The detected attack traces from the formal verification results in critical protocols guide the case generation of fuzz testing, and the feedbacks from fuzz testing further broaden the scope of the formal verification. We examine the proposed framework with the 5G Non Standard-Alone (NSA) security processes, focusing on the Radio Resource Control (RRC) connection process. We first identify protocol-level vulnerabilities of user credentials via formal methods. Following this, we implement bit-level fuzzing to evaluate potential impacts and risks of integrity-vulnerable identifier variation. Concurrently, we conduct command-level mutation-based fuzzing by fixing the assumption identifier to assess the potential impacts and risks of confidentiality-vulnerable identifiers. During this approach, we established 1 attack model and detected 53 vulnerabilities. The vulnerabilities identified used to fortify protocol-level assumptions could further refine search space for the following detection cycles. Consequently, it addresses the prevalent scalability challenges in detecting vulnerabilities and unintended emergent behaviors in large-scale systems in 5G and beyond.

Cryptography and Security

Yong-Hao Zou,Jia-Ju Bai,Jielong Zhou,Jiangfeng Tan,Chenggang Qin,Shi-Min Hu

2021-01-01

Abstract:TCP stacks provide reliable data transmission in network, and thus they should be correctly implemented and well tested to ensure reliability and security. However, testing TCP stacks is difficult. First, a TCP stack accepts packets and system calls that have dependencies between each other, and thus generating effective test cases is challenging. Second, a TCP stack has various complex state transitions, but existing testing approaches target covering states instead of covering state transitions, and thus their testing coverage is limited. Finally, our study of TCP stack commits shows that 87% of bug-fixing commits are related to semantic bugs (such as RFC violations), but existing bug sanitizers can detect only memory bugs not semantic bugs. In this paper, we design a novel fuzzing framework named TCP-Fuzz, to effectively test TCP stacks and detect bugs. TCP-Fuzz consists of three key techniques: (1) a dependencybased strategy that considers dependencies between packets and system calls, to generate effective test cases; (2) a transition-guided fuzzing approach that uses a new coverage metric named branch transition as program feedback, to improve the coverage of state transitions; (3) a differential checker that compares the outputs of multiple TCP stacks for the same inputs, to detect semantic bugs. We have evaluated TCP-Fuzz on five widely-used TCP stacks (TLDK, F-Stack, mTCP, FreeBSD TCP and Linux TCP), and find 56 real bugs (including 8 memory bugs and 48 semantic bugs). 40 of these bugs have been confirmed by related developers.

Yahui Li,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu,Fangdan Ye,Jiangyuan Yao,Han Zhang

DOI: https://doi.org/10.1016/j.comnet.2020.107326

IF: 5.493

2020-01-01

Computer Networks

Abstract:Configuring a network is always difficult and error-prone because of low-level configuration languages and complex routing mechanisms. Most network outages occur when network the configuration is updated. Thus, it is important to proactively verify network configurations. Unfortunately, there are two practical obstacles that inhibit the performance of existing configuration verification tools: (i) Lack of knowledge. Network users often do not know which input verification queries need to be verified. (ii) Limited scalability. Even the state-of-the-art tool (i.e., Minesweeper [1]) takes approximately 500 seconds to complete a single reachability query for a network with tens of routers. Considering the total number of queries that must be verified, real networks often make such techniques impractical. In this paper, we propose NUV, a framework for performing network configuration update verification. NUV outputs verification queries for only the endpoints whose forwarding behavior has changed under the updated network configuration. Based on the network forwarding model, NUV infers the potential traffic impact and eliminates endpoints whose forwarding behavior is equivalent in both the original network configuration and the updated configuration. The NUV outputs can be used as input to a rich collection of existing configuration verification tools. Evaluations on a series of benchmark networks show that NUV can solve the lack of knowledge problem, and it enables query verification to execute at speeds orders of magnitude faster than existing tools; thus, it also improves verification scalability.

Yan Pan,Wei Lin,Liang Jiao,Yuefei Zhu

DOI: https://doi.org/10.1155/2022/6880677

IF: 1.968

2022-05-06

Security and Communication Networks

Abstract:The widely used network protocols play a crucial role in various systems. However, the protocol vulnerabilities caused by the design of the network protocol or its implementation by programmers lead to multiple security incidents and substantial losses. Hence, it is important to study the protocol fuzzing in order to ensure its correctness. However, the challenges of protocol fuzzing are the mutation of protocol messages and the deep interactivity of the protocol implementation. This paper proposes a model-based grey-box fuzzing approach for protocol implementations, including the server-side and client-side. The proposed method is divided into two phases: automata learning based on the minimally adequate teacher (MAT) framework and grey-box fuzzing guided by the learned model and code coverage. The StateFuzzer tool used for evaluation is presented to demonstrate the validity and feasibility of the proposed approach. The server-side fuzzing can achieve similar or higher code coverage and vulnerability discovery capability than those of AFLNET and StateAFL. Considering the client, the results show that it achieves 1.5X branch coverage (on average) compared with the default AFL, and 1.3X branch coverage compared with AFLNET and StateAFL, using the typical implementations such as OpenSSL, LibreSSL, and Live555. The StateFuzzer identifies a new memory corruption bug in Live555 (2021-08-25) and 14 distinct discrepancies based on differential testing.

computer science, information systems,telecommunications

Yuqi Chen,Bohan Xuan,Christopher M. Poskitt,Jun Sun,Fan Zhang

DOI: https://doi.org/10.1145/3395363.3397376

2020-07-16

Abstract:Cyber-physical systems (CPSs) in critical infrastructure face a pervasive threat from attackers, motivating research into a variety of countermeasures for securing them. Assessing the effectiveness of these countermeasures is challenging, however, as realistic benchmarks of attacks are difficult to manually construct, blindly testing is ineffective due to the enormous search spaces and resource requirements, and intelligent fuzzing approaches require impractical amounts of data and network access. In this work, we propose active fuzzing, an automatic approach for finding test suites of packet-level CPS network attacks, targeting scenarios in which attackers can observe sensors and manipulate packets, but have no existing knowledge about the payload encodings. Our approach learns regression models for predicting sensor values that will result from sampled network packets, and uses these predictions to guide a search for payload manipulations (i.e. bit flips) most likely to drive the CPS into an unsafe state. Key to our solution is the use of online active learning, which iteratively updates the models by sampling payloads that are estimated to maximally improve them. We evaluate the efficacy of active fuzzing by implementing it for a water purification plant testbed, finding it can automatically discover a test suite of flow, pressure, and over/underflow attacks, all with substantially less time, data, and network access than the most comparable approach. Finally, we demonstrate that our prediction models can also be utilised as countermeasures themselves, implementing them as anomaly detectors and early warning systems.

Software Engineering,Cryptography and Security,Machine Learning

Xinyao Liu,Baojiang Cui,Junsong Fu,Jinxin Ma

DOI: https://doi.org/10.1016/j.future.2019.12.032

IF: 7.307

2020-07-01

Future Generation Computer Systems

Abstract:Narrowband Internet of Things (NB-loT) is widely deployed in the cellular network of operators, yet implementations of its core network protocols are suffering from bugs. Due to the complexity of the frame structure of NB-IoT core network protocols, testing the protocols in this field is notoriously difficult. In this paper, we propose a novel fuzzing framework, named HFuzz, to generate a great many high-quality test inputs automatically. HFuzz is an automatic hierarchy-aware fuzzing framework and can allocate computing resources efficiently. We put forward the concept of Message Structure Tree to transform the seed file and generate mutated data of the tested protocols and optimize the resource allocation for each hierarchy of the transformed structure by a novel scheduling algorithm. Therefore HFuzz can get a balance between breadth and depth in finding new paths. Compared to traditional fuzzing tools, HFuzz can easily pass the early verification and induce a better coverage of the target implementations by taking full advantage of format information of NB-IoT core network protocols. Our framework applies to various protocols, and we evaluate the performance of HFuzz on GPRS Tunnelling Protocol version 2(GTPv2) in this paper and conduct experiments with two protocol implementations, Open Air Interface (OAI) and B*(a development system). The experimental results show HFuzz yields higher coverage than American Fuzzy Lop (AFL) and Peach, and we further find a real implementation bug in OAI.

Yahui Li,Xia Yin,Zhiliang Wang,Jiangyuan Yao,Xingang Shi,Jianping Wu,Han Zhang,Qing Wang

DOI: https://doi.org/10.1109/COMST.2018.2868050

IF: 35.6

2019-01-01

IEEE Communications Surveys & Tutorials

Abstract:Networks have grown increasingly complicated. Violations of intended policies can compromise network availability and network reliability. Network operators need to ensure that their policies are correctly implemented. This has inspired a research field, network verification and testing, that enables users to automatically detect bugs and systematically reason their network. Furthermore, techniques ranging from formal modeling to verification and testing have been applied to help operators build reliable systems in electronic design automation and software. Inspired by its success, network verification has recently seen increased attention in the academic and industrial communities. As an area of current interest, it is an interdisciplinary subject (with fields including formal methods, mathematical logic, programming languages, and networks), making it daunting for a nonprofessional. We perform a comprehensive survey on well-developed methodologies and tools for data plane verification, control plane verification, data plane testing and control plane testing. This survey also provides lessons gained from existing solutions and a perspective of future research developments.

Kaled Alshmrany,Lucas Cordeiro

DOI: https://doi.org/10.48550/arXiv.2001.09592

2020-01-27

Cryptography and Security

Abstract:Implementations of network protocols are often prone to vulnerabilities caused by developers' mistakes when accessing memory regions and dealing with arithmetic operations. Finding practical approaches for checking the security of network protocol implementations has proven to be a challenging problem. The main reason is that the protocol software state-space is too large to be explored. Here we propose a novel verification approach that combines fuzzing with symbolic execution to verify intricate properties in network protocol implementations. We use fuzzing for an initial exploration of the network protocol, while symbolic execution explores both the program paths and protocol states, which were uncovered by fuzzing. From this combination, we automatically generate high-coverage test input packets for a network protocol implementation. We surveyed various approaches based on fuzzing and symbolic execution to understand how these techniques can be effectively combined and then choose a suitable tool to develop further our model on top of it. In our preliminary evaluation, we used ESBMC, Map2Check, and KLEE as software verifiers and SPIKE as fuzzer to check their suitability to verify our network protocol implementations. Our experimental results show that ESBMC can be further developed within our verification framework called \textit{FuSeBMC}, to efficiently and effectively detect intricate security vulnerabilities in network protocol implementations.

Jack Hance,Jeremy Straub

2023-06-07

Abstract:Fuzzing is utilized for testing software and systems for cybersecurity risk via the automated adaptation of inputs. It facilitates the identification of software bugs and misconfigurations that may create vulnerabilities, cause abnormal operations or result in systems' failure. While many fuzzers have been purpose-developed for testing specific systems, this paper proposes a generalized fuzzer that provides a specific capability for testing software and cyber-physical systems which utilize configuration files. While this fuzzer facilitates the detection of system and software defects and vulnerabilities, it also facilitates the determination of the impact of settings on device operations. This later capability facilitates the modeling of the devices in a cybersecurity risk assessment and analysis system. This paper describes and assesses the performance of the proposed fuzzer technology. It also details how the fuzzer operates as part of the broader cybersecurity risk assessment and analysis system.

Cryptography and Security,Software Engineering

Ilja Siroš,Dave Singelée,Bart Preneel

2024-10-28

Abstract:4G and 5G represent the current cellular communication standards utilized daily by billions of users for various applications. Consequently, ensuring the security of 4G and 5G network implementations is critically important. This paper introduces an automated fuzzing framework designed to test the security of 4G and 5G attach procedure implementations. Our framework provides a comprehensive solution for uplink and downlink fuzzing in 4G, as well as downlink fuzzing in 5G, while supporting fuzzing on all layers except the physical layer. To guide the fuzzing process, we introduce a novel algorithm that assigns probabilities to packet fields and adjusts these probabilities based on coverage information from the device-under-test (DUT). For cases where coverage information from the DUT is unavailable, we propose a novel methodology to estimate it. When evaluating our framework, we first run the random fuzzing experiments, where the mutation probabilities are fixed throughout the fuzzing, and give an insight into how those probabilities should be chosen to optimize the Random fuzzer to achieve the best coverage. Next, we evaluate the efficiency of the proposed coverage-based algorithms by fuzzing open-source 4G stack (srsRAN) instances and show that the fuzzer guided by our algorithm outperforms the optimized Random fuzzer in terms of DUT's code coverage. In addition, we run fuzzing tests on 12 commercial off-the-shelf (COTS) devices. In total, we discovered vulnerabilities in 10 COTS devices and all of the srsRAN 4G instances.

Cryptography and Security