Fuzzing: State of the Art

Liu, Hongliang; Pei, Xiaoxiao; Jia, Xiaodong; Shen, Wuwei; Zhang, Jian

doi:10.1109/tr.2018.2834476

Cited by 157 publications

(76 citation statements)

References 117 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Fuzzing [ 1 , 2 , 6 , 31 ] now is a widely used technique to discover vulnerabilities in programs. The basic idea of fuzzing is to feed different and even abnormal inputs into a PUT, and keep monitoring its status to check if the program is crashed or misbehaving [ 1 ].…”

Section: Related Workmentioning

confidence: 99%

“…The basic idea of fuzzing is to feed different and even abnormal inputs into a PUT, and keep monitoring its status to check if the program is crashed or misbehaving [ 1 ]. Fuzzers could be classified into three categories: blackbox, greybox and whitebox [ 2 , 6 ]. Blackbox fuzzers [ 7 , 8 ] could only monitor the input/output of a PUT, and some of them like Peach may know the structure of inputs [ 8 ].…”

Section: Related Workmentioning

confidence: 99%

“…Greybox fuzzers take the middle way that they collect some internal information from a PUT. For example, coverage-based fuzzers collect the coverage information of inputs [ 2 , 6 ]. Greybox fuzzers usually run faster than whitebox fuzzers and utilize more information than blackbox fuzzers [ 6 ], and are good choices if we want higher coverage and discovering “hidden” bugs [ 6 ].…”

Section: Related Workmentioning

confidence: 99%

“…The basic idea of fuzzing is to feed different inputs into a program under test (PUT) and keep monitoring its status for any misbehavior. Coverage-based fuzzing [ 3 , 4 , 5 ] is categorised as greybox fuzzing [ 2 , 6 ]. Different from traditional blackbox fuzzing [ 7 , 8 ], coverage-based fuzzing monitors the internal execution paths of inputs, and saves the inputs as further mutation seeds if they exercise any new and interesting paths.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

MultiFuzz: A Coverage-Based Multiparty-Protocol Fuzzer for IoT Publish/Subscribe Protocols

Zeng

Lin

Guo

et al. 2020

Sensors

View full text Add to dashboard Cite

The publish/subscribe model has gained prominence in the Internet of things (IoT) network, and both Message Queue Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) support it. However, existing coverage-based fuzzers may miss some paths when fuzzing such publish/subscribe protocols, because they implicitly assume that there are only two parties in a protocol, which is not true now since there are three parties, i.e., the publisher, the subscriber and the broker. In this paper, we propose MultiFuzz, a new coverage-based multiparty-protocol fuzzer. First, it embeds multiple-connection information in a single input. Second, it uses a message mutation algorithm to stimulate protocol state transitions, without the need of protocol specifications. Third, it uses a new desockmulti module to feed the network messages into the program under test. desockmulti is similar to desock (Preeny), a tool widely used by the community, but it is specially designed for fuzzing and is 10x faster. We implement MultiFuzz based on AFL, and use it to fuzz two popular projects Eclipse Mosquitto and libCoAP. We reported discovered problems to the projects. In addition, we compare MultiFuzz with AFL and two state-of-the-art fuzzers, MOPT and AFLNET, and find it discovering more paths and crashes.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

MultiFuzz: A Coverage-Based Multiparty-Protocol Fuzzer for IoT Publish/Subscribe Protocols

Zeng

Lin

Guo

et al. 2020

Sensors

View full text Add to dashboard Cite

show abstract

“…Binary vulnerability detection techniques can be roughly divided into two categories: static analysis and dynamic analysis [1], [2]. The dynamic analysis, such as fuzzing [3], [4] and dynamic taint analysis [5], [6], examines program behavior while it is running in a given environment. Dynamic binary analysis allows you explore individual paths which makes it very precise but at the expense of less code coverage.…”

Section: Introductionmentioning

confidence: 99%

A Value Set Analysis Refinement Approach Based on Conditional Merging and Lazy Constraint Solving

Lin¹,

Jiang²,

Wang³

et al. 2019

IEEE Access

View full text Add to dashboard Cite

Value set analysis is a common static binary program analysis approach. Value set analysis attempts to identify a tight over-approximation of the program state at any given point in the program and can be used to detect vulnerability. Existing memory corruption detection analysis technologies based on value set analysis have a high false positive rate, because value set analysis suffers from a lack of accuracy. We observed that two main sources of imprecision in value set analysis are merge operation and failed branch conditions tracking. In order to address above problems, in this paper, we propose a value set analysis refinement approach based on conditional merging and lazy constraint solving. We propose a variable dependence analysis algorithm to divide program paths into subsets and only merge the states which satisfy the condition that the states are from the same subset, which reduces the imprecision from the merging operation. We collect path predicates as path constraint and solve the path constraint using Satisfiability Modulo Theories (SMT) solver lazily to get a tighter number range of the variable when a variable need be refined, which reduces the imprecision from the failed branch conditions tracking. We implement a prototype system RVSA based on the proposed approach and verify its effectiveness according to experimentation. Compared with state-of-the-art approach, the experimental results demonstrate that the false positive rate is reduced by 12.9%. Furthermore, using our proposed approach, 25 zero-day vulnerabilities are found in the Netgear httpd binary.

show abstract

Protocol fuzzing to find security vulnerabilities of RabbitMQ

Kwon

Son²,

Choi

et al. 2020

Concurrency and Computation

View full text Add to dashboard Cite

A message broker is widely used to enable applications, systems, and services to communicate with each other. One of the widely used message brokers is RabbitMQ that provides various functions and stability. However, as presented in this paper, Rab-bitMQ is vulnerable. In this paper, we present how RabbitMQ is exploited by protocol fuzzing, which is a common way to find unknown vulnerabilities inherent in software. We describe our protocol fuzzing procedures in detail and present conducted results.

show abstract

Fuzzing: State of the Art

Cited by 157 publications

References 117 publications

MultiFuzz: A Coverage-Based Multiparty-Protocol Fuzzer for IoT Publish/Subscribe Protocols

MultiFuzz: A Coverage-Based Multiparty-Protocol Fuzzer for IoT Publish/Subscribe Protocols

A Value Set Analysis Refinement Approach Based on Conditional Merging and Lazy Constraint Solving

Protocol fuzzing to find security vulnerabilities of RabbitMQ

Contact Info

Product

Resources

About