Although coverage-guided grey-box fuzz testing has been effective, there are still issues with numerous message inputs not adhering to protocol specifications when dealing with protocol programs with formatted structure inputs. While recent works have addressed problems related to protocol message transmission and analysis, existing efforts have not considered the support for the manual or computational overhead introduced by new version protocol field modifications and extensions. In this paper, we propose FISFuzzer, a lightweight message inference and scheduling fuzz testing approach. On one hand, it employs lightweight field inference and aggregation methods in fuzz testing to infer approximate boundaries and types of new or unknown protocol message fields, dynamically inferring seeds that trigger crashes, and updating field boundaries and types. On the other hand, it sets probability distributions for inferred protocol fields in fuzz testing, continually updating the distributions by statistically analyzing the positional information of seeds causing crashes to distinguish the importance of different protocol fields. Additionally, FISFuzzer adopts a type-constraint mutation strategy based on the inferred field types during message mutation to filter more effective test cases. We have implemented a prototype of FISFuzzer and evaluated it on four open-source protocols. Our experiments demonstrate that FISFuzzer discovers more crashes and achieves higher code coverage compared to existing protocol fuzzers and structure-aware fuzzers. Moreover, it identifies the same crashes faster. Finally, FISFuzzer discovered five protocol vulnerabilities, which have been reported to the developers.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

FISFuzzer: A Grey-Box Protocol Fuzzer Based on Field Inference and Scheduling

  • Hao Pan,
  • Xiangpu Song,
  • Honglin Wu,
  • Kai Wang,
  • Shanqing Guo,
  • Xing Yang

摘要

Although coverage-guided grey-box fuzz testing has been effective, there are still issues with numerous message inputs not adhering to protocol specifications when dealing with protocol programs with formatted structure inputs. While recent works have addressed problems related to protocol message transmission and analysis, existing efforts have not considered the support for the manual or computational overhead introduced by new version protocol field modifications and extensions. In this paper, we propose FISFuzzer, a lightweight message inference and scheduling fuzz testing approach. On one hand, it employs lightweight field inference and aggregation methods in fuzz testing to infer approximate boundaries and types of new or unknown protocol message fields, dynamically inferring seeds that trigger crashes, and updating field boundaries and types. On the other hand, it sets probability distributions for inferred protocol fields in fuzz testing, continually updating the distributions by statistically analyzing the positional information of seeds causing crashes to distinguish the importance of different protocol fields. Additionally, FISFuzzer adopts a type-constraint mutation strategy based on the inferred field types during message mutation to filter more effective test cases. We have implemented a prototype of FISFuzzer and evaluated it on four open-source protocols. Our experiments demonstrate that FISFuzzer discovers more crashes and achieves higher code coverage compared to existing protocol fuzzers and structure-aware fuzzers. Moreover, it identifies the same crashes faster. Finally, FISFuzzer discovered five protocol vulnerabilities, which have been reported to the developers.