Xu Zhou scite author profile

In recent years, the fuzzing technology is widely used to detect the software vulnerabilities owing to the coverage improvement in the target program and the easiness of use. However, it is less efficient to fuzz the stateful protocols due to the difficulties like maintaining states and dependencies of messages. To address these challenges, we present SPFuzz, a framework for building flexible, coverageguided stateful protocol fuzzing. We define a language in SPFuzz to describe the protocol specifications, protocol states transitions and dependencies for generating valuable test cases, maintaining correct messages in session states and handling protocol dependencies by updating message data in time. The SPFuzz adopts a three-level mutation strategy, namely head, content, and sequence mutation strategy to drive the fuzzing process to cover more paths, in conjunction with the method to randomly assign weights to messages and strategies. We use the following metrics to evaluate the performance of SPFuzz and other frameworks upon three protocol implementations, i.e., Proftpd, Oftpd, and OpenSSL, which are three-granularity coverages specifically function, basic block, and edge. In experiments, the SPFuzz framework outperforms the existing stateful protocol fuzzing tool Boofuzz by an average of 69.12% in three granularities coverage tests. This demonstrates that the SPFuzz has the ability to explore more and deeper paths of the target program. We further triggered CVE-2015-0291 in OpenSSL 1.0.2 with the SPFuzz, which proves the validity and utility of our framework.

show abstract

Labelling issue reports in mobile apps

Zhang

Zhou

et al. 2019

IET softw.

View full text Add to dashboard Cite

Millions of mobile apps have been released to the market. Developers need to maintain these apps so that they can continue to benefit end users, who usually submit issue reports to describe the bugs, the feature requests, and other changes appearing in apps. The labels (e.g. bug, feature request) are important resources to indicate which issue reports should be resolved first or next. According to the investigation, 35.6% of issue reports in top-17 popular mobile apps are not labelled. Developers have to spend additional time to manually verify each unlabelled issue report so that they can decide to resolve the most important issues. In order to help developers to reduce the workload, in this study, the authors propose a novel approach to automatically tag the unlabelled issue reports. This approach not only computes the similarity between each unlabelled issue report and user reviews related to bugs and features but also calculates the textual similarity scores between each unlabelled issue report and labelled ones. As a result, among all textual similarity measures, this approach using cosine similarity with MCG shows the best performance. Moreover, this approach performs better than the method proposed in the authors' previous study.

show abstract

SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

et al. 2021

View full text Add to dashboard Cite

Cyber attacks against the web management interface of Internet of Things (IoT) devices often have serious consequences. Current research uses fuzzing technologies to test the web interfaces of IoT devices. These IoT fuzzers generate messages (a test case sent from the client to the server to test its functionality) without considering their dependency, which is unlikely to bypass the early check of the server. These invalid test cases significantly reduce the efficiency of fuzzing. To overcome this problem, we propose a stateful message generation (SMG) mechanism for IoT web fuzzing. SMG addresses two problems in IoT fuzzing. First, we retrieve the message dependency by using web front-end analysis and status analysis. These dependent messages, which can easily bypass the server check, are used as a valid seed. Second, we adopt a multi-message seed format to preserve the dependency of the messages when mutating the seed to get a valid test case, so that the test case can bypass the state check of the server to make a valid test. Message dependency preservation is implemented by our proposed parameter mutation and structural mutation methods. We implement SMG in our IoT fuzzer, SIoTFuzzer, which applies IoT firmware on the latest Linux-based simulation tool, FirmAE. We test nine IoT devices including a router and an IP camera and adopt a vulnerability detection mechanism. Our evaluation results show that (1) SIoTFuzzer is capable of finding real-world vulnerabilities in IoT devices; (2) our SMG is effective as it enables Boofuzz (a popular protocol fuzzer) to find command injection and cross-site scripting (XSS) vulnerabilities; and (3) compared to FirmFuzz, SIoTFuzzer found all the vulnerabilities in our benchmarks, while FirmFuzz found only four—the efficiency of our tool increased by 20.57% on average.

show abstract

Learn to Accelerate Identifying New Test Cases in Fuzzing

Zhang

Zhou

2017

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Xu Zhou

PTfuzz: Guided Fuzzing With Processor Trace Feedback

SPFuzz: A Hierarchical Scheduling Framework for Stateful Network Protocol Fuzzing

Labelling issue reports in mobile apps

SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

Learn to Accelerate Identifying New Test Cases in Fuzzing

Contact Info

Product

Resources

About