SPFuzz: A Hierarchical Scheduling Framework for Stateful Network Protocol Fuzzing

Song, Congxi; Yu, Bo; Zhou, Xu; Yang, Qiang

doi:10.1109/access.2019.2895025

Cited by 23 publications

(14 citation statements)

References 17 publications

(15 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• BooFuzz [31]. As a successor of Sulley [19], BooFuzz is an excellent network protocol fuzzer that has been involved in several recent fuzzing research [9,37,48]. Different from other automatic fuzzers, BooFuzz requires human-guided message segmentation strategies as inputs.…”

Section: Experimental Evaluation 51 Experiments Setupmentioning

confidence: 99%

“…There are also several dynamic analysis approaches focusing on the networking modules of IoT devices. For example, SPFuzz defines a new language for describing protocol specifications, protocol state transitions, and their correlations [37]. SPFuzz can ensure the correctness of the message format in the conversation state and the dependence of the protocol.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Snipuzz: Black-box Fuzzing of IoT Firmware via Message Snippet Inference

Feng

Sun

Zhu

et al. 2021

Preprint

View full text Add to dashboard Cite

The proliferation of Internet of Things (IoT) devices has made people's lives more convenient, but it has also raised many security concerns. Due to the difficulty of obtaining and emulating IoT firmware, in the absence of internal execution information, blackbox fuzzing of IoT devices has become a viable option. However, existing black-box fuzzers cannot form effective mutation optimization mechanisms to guide their testing processes, mainly due to the lack of feedback. In addition, because of the prevalent use of various and non-standard communication message formats in IoT devices, it is difficult or even impossible to apply existing grammar-based fuzzing strategies. Therefore, an efficient fuzzing approach with syntax inference is required in the IoT fuzzing domain.To address these critical problems, we propose a novel automatic black-box fuzzing for IoT firmware, termed Snipuzz. Snipuzz runs as a client communicating with the devices and infers message snippets for mutation based on the responses. Each snippet refers to a block of consecutive bytes that reflect the approximate code coverage in fuzzing. This mutation strategy based on message snippets considerably narrows down the search space to change the probing messages. We compared Snipuzz with four state-of-theart IoT fuzzing approaches, i.e., IoTFuzzer, BooFuzz, Doona, and Nemesys. Snipuzz not only inherits the advantages of app-based fuzzing (e.g., IoTFuzzer), but also utilizes communication responses to perform efficient mutation. Furthermore, Snipuzz is lightweight as its execution does not rely on any prerequisite operations, such as reverse engineering of apps. We also evaluated Snipuzz on 20 popular real-world IoT devices. Our results show that Snipuzz could identify 5 zero-day vulnerabilities, and 3 of them could be exposed only by Snipuzz. All the newly discovered vulnerabilities have been confirmed by their vendors.

show abstract

Section: Experimental Evaluation 51 Experiments Setupmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Snipuzz: Black-box Fuzzing of IoT Firmware via Message Snippet Inference

Feng

Sun

Zhu

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…PerfFuzz [24] generates inputs through feedback-oriented mutation fuzzing generation, can find various inputs with different hot spots in the program, and escapes local maximums to have higher execution path length inputs. SPFuzzs [25] implement three mutation strategies, namely, head, content and sequence mutation strategies. They cover more paths by driving the fuzzing process, and provide a method of randomly assigning weights through messages and strategies.…”

Section: Related Workmentioning

confidence: 99%

ReFuzz: A Remedy for Saturation in Coverage-Guided Fuzzing

Qian

Zhang

et al. 2021

Electronics

View full text Add to dashboard Cite

Coverage-guided greybox fuzzing aims at generating random test inputs to trigger vulnerabilities in target programs while achieving high code coverage. In the process, the scale of testing gradually becomes larger and more complex, and eventually, the fuzzer runs into a saturation state where new vulnerabilities are hard to find. In this paper, we propose a fuzzer, ReFuzz, that acts as a complement to existing coverage-guided fuzzers and a remedy for saturation. This approach facilitates the generation of inputs that lead only to covered paths by omitting all other inputs, which is exactly the opposite of what existing fuzzers do. ReFuzz takes the test inputs generated from the regular saturated fuzzing process and continue to explore the target program with the goal of preserving the code coverage. The insight is that coverage-guided fuzzers tend to underplay already covered execution paths during fuzzing when seeking to reach new paths, causing covered paths to be examined insufficiently. In our experiments, ReFuzz discovered tens of new unique crashes that AFL failed to find, of which nine vulnerabilities were submitted and accepted to the CVE database.

show abstract

“…Recently, protocol fuzzing concentrates on solving the transmission of the state in protocol communication 32 and the security protocol 30,31 . SpFuzz 46 uses hierarchical scheduling to improve the test cases of protocol based on the feedback information. However, the feedback of SpFuzz relies on the AFL instrumentation, which is not suitable for close sourced firmware.…”

Section: Related Workmentioning

confidence: 99%

Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware

Gao¹,

Dong²,

Chang

et al. 2020

Concurrency and Computation

View full text Add to dashboard Cite

Summary Fuzzing is an effective approach to detect software vulnerabilities utilizing changeable generated inputs. However, fuzzing the network protocol on the firmware of IoT devices is limited by inefficiency of test case generation, cross‐architecture instrumentation, and fault detection. In this article, we propose the Fw‐fuzz, a coverage‐guided and crossplatform framework for fuzzing network services running in the context of firmware on embedded architectures, which can generate more valuable test cases by introspecting program runtime information and using a genetic algorithm model. Specifically, we propose novel dynamic instrumentation in Fw‐fuzz to collect the running state of the firmware program. Then Fw‐fuzz adopts a genetic algorithm model to guide the generation of inputs with high code coverage. We fully implement the prototype system of Fw‐fuzz and conduct evaluations on network service programs of various architectures in MIPS, ARM, and PPC. By comparing with the protocol fuzzers Boofuzz and Peach in metrics of edge coverage, our prototype system achieves an average growth of 33.7% and 38.4%, respectively. We further verify six known vulnerabilities and discover 5 0‐day vulnerabilities with the Fw‐fuzz, which prove the validity and utility of our framework. The overhead of our system expressed as an additional 5% of memory growth.

show abstract

SPFuzz: A Hierarchical Scheduling Framework for Stateful Network Protocol Fuzzing

Cited by 23 publications

References 17 publications

Snipuzz: Black-box Fuzzing of IoT Firmware via Message Snippet Inference

Snipuzz: Black-box Fuzzing of IoT Firmware via Message Snippet Inference

ReFuzz: A Remedy for Saturation in Coverage-Guided Fuzzing

Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware

Contact Info

Product

Resources

About