Stateful Greybox Fuzzing

04/06/2022
by   Jinsheng Ba, et al.
0

Many protocol implementations are reactive systems, where the protocol process is in continuous interaction with other processes and the environment. If a bug can be exposed only in a certain state, a fuzzer needs to provide a specific sequence of events as inputs that would take protocol into this state before the bug is manifested. We call these bugs as "stateful" bugs. Usually, when we are testing a protocol implementation, we do not have a detailed formal specification of the protocol to rely upon. Without knowledge of the protocol, it is inherently difficult for a fuzzer to discover such stateful bugs. A key challenge then is to cover the state space without an explicit specification of the protocol. In this work, we posit that manual annotations for state identification can be avoided for stateful protocol fuzzing. Specifically, we rely on a programmatic intuition that the state variables used in protocol implementations often appear in enum type variables whose values (the state names) come from named constants. In our analysis of the Top-50 most widely used open-source protocol implementations, we found that every implementation uses state variables that are assigned named constants (with easy to comprehend names such as INIT, READY) to represent the current state. In this work, we propose to automatically identify such state variables and track the sequence of values assigned to them during fuzzing to produce a "map" of the explored state space. Our experiments confirm that our stateful fuzzer discovers stateful bugs twice as fast as the baseline greybox fuzzer that we extended. Starting from the initial state, our fuzzer exercises one order of magnitude more state/transition sequences and covers code two times faster than the baseline fuzzer. Several zero-day bugs in prominent protocol implementations were found by our fuzzer, and 8 CVEs have been assigned.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
02/06/2023

Leveraging TLA+ Specifications to Improve the Reliability of the ZooKeeper Coordination Service

ZooKeeper is a coordination service, widely used as a backbone of variou...
research
03/10/2023

A Domain Specific Language for Testing Consensus Implementations

Large-scale, fault-tolerant, distributed systems are the backbone for ma...
research
11/29/2018

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution

The main reason for the standardization of network protocols, like QUIC,...
research
11/14/2021

Prognosis: Closed-Box Analysis of Network Protocol Implementations

We present Prognosis, a framework offering automated closed-box learning...
research
09/06/2021

Finding Counterexamples of Temporal Logic properties in Software Implementations via Greybox Fuzzing

Software model checking is a verification technique which is widely used...
research
10/09/2020

Semi-Automated Protocol Disambiguation and Code Generation

For decades, Internet protocols have been specified using natural langua...
research
11/02/2021

Do Names Echo Semantics? A Large-Scale Study of Identifiers Used in C++'s Named Casts

Developers relax restrictions on a type to reuse methods with other type...

Please sign up or login with your details

Forgot password? Click here to reset