计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (12): 71-78.doi: 10.11896/jsjkx.231000018

• 计算机软件 • 上一篇    下一篇

SSFuzz:状态敏感的网络协议服务灰盒模糊测试技术

林家含, 冉猛, 彭建山   

  1. 信息工程大学网络空间安全学院 郑州 450001
  • 收稿日期:2023-10-07 修回日期:2024-03-05 出版日期:2024-12-15 发布日期:2024-12-10
  • 通讯作者: 彭建山(jxpjs@163.com)
  • 作者简介:(ljh_studypp@outlook.com)
  • 基金资助:
    河南省重大科技专项(221100240100)

SSFuzz:State-sensitive Greybox Fuzzing for Network Protocol Services

LIN Jiahan, RAN Meng, PENG Jianshan   

  1. School of Cyberspace Security, Information Engineering University, Zhengzhou 450001, China
  • Received:2023-10-07 Revised:2024-03-05 Online:2024-12-15 Published:2024-12-10
  • About author:LIN Jiahan,born in 2000,postgraduate.His main research interests include software automated testing and reverse engineering.
    PENG Jianshan,born in 1979,Ph.D,associate professor,master supervisor.His main research interests include cyber security and software automated testing.
  • Supported by:
    Henan Province Science and Technology Major Project(221100240100).

PDF (PC)

210

摘要: 网络协议服务作为个人设备与互联网交互的接口,其脆弱性严重威胁用户的隐私和信息安全。最先进的网络协议灰盒模糊测试工具在代码覆盖率的基础上引入了状态反馈,通过分析网络协议服务的状态信息,进一步筛选有效的变异种子。但是,不同的模糊测试工具对网络协议服务状态有着不同的定义,如AFLNET通过分析服务器响应数据包的内容提取状态,StateAFL定义长寿命内存作为程序状态。在状态收集上,SGFuzz通过分析Enum类型数据定义,识别状态变量的赋值语句并插桩。然而,SGFuzz无法识别状态变量的间接赋值语句,对于状态变量的识别并不全面。同时,在构建状态机时,不同的模糊测试技术对状态机节点有着不同的定义,难以在同一个模糊测试工具上同时使用多种状态收集策略。此外,在实验设计上,现有的方案倾向于比较相同时间内的代码覆盖率情况。但是,代码覆盖率的增长受到多方面因素的影响,如吞吐量、种子筛选策略等。相同时间内的代码覆盖率实验适用于不同模糊测试工具之间的比较,对于其中单个模块的改进实验则不适用。针对以上问题,提出了SSFuzz。具体地,SSFuzz研究了基于状态变量的插桩方式,依据代码编译过程中的抽象语法树信息,识别状态变量赋值的间接赋值方法,能够更精准地对状态变量赋值语句进行插桩;其次,SSFuzz对用于指导状态筛选的状态机进行了定义,该方法有助于不同的状态反馈策略共同构建状态机。实验结果表明,SSFuzz能够实现对大部分网络协议服务的插桩,并且相较于SGFuzz,能够实现对间接赋值语句的插桩。此外,讨论了适用于评估状态机有效性的实验方法,并证明了SSFuzz能够以更少的测试样例数量达到更高的路径覆盖率。

关键词: 网络协议, 模糊测试, 程序插桩, 状态反馈

Abstract: The vulnerability of network protocol services,as the interface for personal devices to interact with the Internet,poses a serious threat to users’ privacy and information security.The state-of-the-art network protocol grey-box fuzzy testing tools introduce state feedback on the basis of code coverage,which further filters effective variant seeds by analysing the state information of network protocol services.However,different fuzz testing tools have different definitions of network protocol service state,e.g.,AFLNET extracts state by analysing the contents of server response packets,and StateAFL defines long-lived memory as program state.For state collection,SGFuzz identifies assignment statements of state variables and inserts stakes by analysing Enum type data definitions.However,SGFuzz cannot identify the indirect assignment statements of state variables,and the identification of state variables is not comprehensive.Meanwhile,when constructing state machines,different fuzzy testing techniques have different definitions of state machine nodes,making it difficult to use multiple state collection strategies on the same fuzzy testing tool at the same time.In addition,in terms of experimental design,existing schemes tend to compare the code cove-rage situation over the same period of time.However,the growth of code coverage is affected by various factors,such as throughput,seed screening strategies,etc.Code coverage experiments within the same time are suitable for comparison between different fuzzy testing tools,not for improvement experiments of individual modules in them.In this paper,we propose SSFuzz.Specifically,SSFuzz first investigates the state-variable based staking approach,which identifies the indirect assignment method of state-variable assignment based on the abstract syntax tree information during the code compilation process,and is able to stake state-variable assignment statements more accurately.Secondly,SSFuzz defines the state machine for guiding state screening,which is able to facilitate the co-construction of state machines by different state feedback strategies.Experiments show that SSFuzz enables staking of most network protocol services,and compared to SGFuzz,indirect assignment statements.In addition,we discuss experimental methods suitable for evaluating the effectiveness of state machines and demonstrate that SSFuzz is able to achieve higher path coverage with a smaller number of test samples.

Key words: Network protocol, Fuzzing, Program instrument, Statement feedback

中图分类号: 

  • TP309.1
[1]CHEN Y R,LAN T,VENKATARAMANI G.Exploring Effective Fuzzing Strategies to Analyze Communication Protocols[C]//Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation.2019:17-23.
[2]American fuzzy lop(afl) fuzzer[EB/OL].http://lcamtuf.coredump.cx/afl/technical details.txt.
[3]SCHUMILO S,CORNELIUS A,ALI A,et al.Nyx:Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types[C]//USENIX Security Symposium.2021:2597-2614.
[4]QIN S S,HU F,MA Z Y,et al.NSFuzz:Towards Efficient and State-Aware Network Service Fuzzing[J].ACM Transactions on Software Engineering and Methodology,2023,32(6):1-26.
[5]ANDRONIDIS A,CADAR C.SnapFuzz:high-throughput fuz-zing of network applications[C]//Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis.2022:340-351.
[6]LI J Q,LI S Y,SUN G,et al.SNPSFuzzer:A Fast Greybox Fuzzer for Stateful Network Protocols Using Snapshots[J].IEEE Transactions on Information Forensics and Security,2022,17:2673-2687.
[7]VAN-THUAN P,BÖHME M,ROYCHOUDHURY A.AFL-NET:A Greybox Fuzzer for Network Protocols[C]//2020 IEEE 13th International Conference on Software Testing,Validation and Verification(ICST).2020.
[8]BA J S,BÖHME M,MIRZAMOMEN Z,et al.Stateful Greybox Fuzzing.[J].arXiv:2204.02545,2022.
[9]MARIA L P,MAX V H,BEN W,et al.Automated Attack Synthesis by Extracting Finite State Machines from Protocol Specification Documents[C]//2022 IEEE Symposium on Security and Privacy.2022:51-68.
[10]Boofuzz:A fork and successor of the sulley fuzzing framework[EB/OL].https://github.com/jtpereyda/boofuzz.
[11]Peach Fuzzer Platform[EB/OL].http://www.peachfuzzer.com/products/peach-platform.
[12]Sulley:A pure-python fully automated and unattended fuzzing framework[EB/OL].https://github.com/OpenRCE/sulley.
[13]SHE D D,KRISHNA R,YAN L,et al.MTFuzz:Fuzzing with a Multi-Task Neural Network[C]//Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.2020:737-749.
[14]ZONG P Y,LV T,WANG D W,et al.FuzzGuard:Filtering out Unreachable Inputs in Directed Grey-Box Fuzzing through Deep Learning[C]//USENIX Security Symposium.2020:2255-2269.
[15]LIU S H,MAHAR S,RAY B,et al.PMFuzz:Test Case Generation for Persistent Memory Programs[C]//Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems.2021:487-502.
[16]LUO Z X,ZUO F L,SHEN Y H,et al.ICS Protocol Fuzzing:Coverage Guided Packet Crack and Generation[C]//2020 57th ACM/IEEE Design Automation Conference.2020:1-6.
[17]ARAUJO R,LUIS G,DANIEL M B.Program-Aware Fuzzing for MQTT Applications[C]//Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis.2020:582-586.
[18]ZUO F L,LUO Z X,YU J Z,et al.PAVFuzz:State-Sensitive Fuzz Testing of Protocols in Autonomous Vehicles[C]//2021 58th ACM/IEEE Design Automation Conference.2021:823-828.
[19]FITERAU-BROSTEAN P,JONSSON B,MERGET R,et al.Analysis of DTLS Implementa-tions Using Protocol State Fuz-zing[C]//USENIX Security Symposium.2020:2523-2540.
[20]LI X Y,PAN X J,SUN Y B.PS-Fuzz:Efficient Graybox Firmware Fuzzing Based on Protocol State[J].Journal on Artificial Intelligence,2021(1):21-31.
[21]ROBERTO N.StateAFL:Greybox fuzzing for stateful network servers[J].Empirical Software Engineering,2021,27:1-31.
[22]CANAN A,KARAKAYA U.SP-Fuzzy Soft Ideals in Semi-groups[J].Turkish Journal of Mathematics and Computer Science,2018,10:22-32.
[23]KHANDAIT P,HUBBALLI N,MAZUMDAR B.IoT Hunter:IoT network traffic classification using device specific keywords[J].IET Networks,2021,10:59-75.
[24]ZHAO J J,CHEN S L,LIANG S R,et al.RFSM-Fuzzing a Smart Fuzzing Algorithm Based on Regression FSM[C]//2013 Eighth International Conference on P2P,Parallel,Grid,Cloud and Internet Computing.2013:380-386.
[25]PENG H,SHOSHITAISHVILI Y,PAYER M.T-Fuzz:Fuzzing by Program Transformation[C]//2018 IEEE Symposium on Security and Privacy.2018:697-710.
[26]KITAGAWA K,HANAOKA M,KONO K.AspFuzz:A state-aware protocol fuzzer based on application-layer protocols[C]//The IEEE Symposium on Computers and Communications.2010:202-208.
[27]GORBUNOV S,ROSENBLOOM A.AutoFuzz:Auto-matedNetwork Protocol Fuzzing Framework[J].International Journal of Computer Science and Network Secrity,2010,10(8):239-245.
[28]HERRERA A,PAYER M,HOSKING A L.DataFLow:Toward a Data-flow-guided Fuzzer[J].ACM Transactions on Software Engineering and Methodology,2023,32:1-31.
[29]MANTOVANI A,FIORALDI A,BALZAROTTI D.Fuzzingwith Data Dependency Information[C]//2022 IEEE 7th European Symposium on Security and Privacy.2022:286-302.
[30]NATELLA R,VAN-THUAN P.ProFuzzBench:a benchmarkfor stateful protocol fuzzing[C]//Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis.2021:662-665.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发