Improving Code Coverage Metrics for Discovering Vulnerabilities in Stateful Network Protocols using Hybrid Fuzzing
Subject Areas : ICTHamid Rezaei Rahvard 1 , Mehdi Salkhordeh Haghighi 2
1 - Faculty of Computer Eng and IT, Sadjad University, Mashhad, Iran
2 - Faculty of Computer Eng and IT, Sadjad University, Mashhad, Iran
Keywords: Software Testing, Fuzz Testing, Network Protocol Testing, Vulnerabilities, Symbolic Execution, Concolic Execution,
Abstract :
Fuzzing software is a method for finding security vulnerabilities in applications. In this method, by sending random data to the program, attempts are made to find cases that lead to undesirable behaviors and errors such as memory corruption or unauthorized access. One of the proposed methods for improving and enhancing fuzzing is the use of symbolic analysis and dynamic-symbolic execution. In this method, in addition to generating random data, logical analysis of the program and its symbolic execution are used to generate data that can cover new paths in program execution. In this research, we have shown that the dynamic-symbolic execution method can be used for fuzzing network protocols and also improve this process. For this purpose, the first framework for hybrid fuzzing of network protocols has been designed and implemented. The results on two services dcmtk and dnsmasq show that hybrid fuzzing performs better in terms of code coverage compared to traditional fuzzing. Branch coverage in the dcmtk service improved by 2.71 percent compared to AFLNet, which was able to make the negative performance of NyxNet compared to AFLNet positive. Also, branch coverage in the dnsmasq service improved by 37.72 percent compared to AFLNet and by 11.82 percent compared to NyxNet.
M. Zalewski, “American fuzzy lop - a security-orientedfuzzer.”,2021,https://lcamtuf.coredump.cx/afl
Cui, Lei, Jiancong Cui, Zhiyu Hao, Lun Li, Zhenquan Ding, and Yongji Liu. "An empirical study of vulnerability discovery methods over the past ten years." Computers & Security, 2022
F. Rustamov, J. Kim, J. Yu, and J. Yun, “Exploratory review of hybrid fuzzing for automated vulnerability detection,” IEEE Access, vol. 9, pp. 131166–131190, 2021.
[4] Zhou, Shunfan, Zhemin Yang, Dan Qiao, Peng Liu, Min Yang, Zhe Wang, and Chenggang Wu. "Ferry:{State-Aware} Symbolic Execution for Exploring {State-Dependent} Program Paths." In 31th USENIX Security Symposium (USENIX Security 22), pp. 4365-4382. 2022.
V.-T. Pham, M. Böhme, and A. Roychoudhury, “Aflnet: a greybox fuzzer for network protocols,” in 2020
IEEE 13th International Conference on Software Testing, Validation and Verification (ICST), pp. 460-465, IEEE, 2020
S. Schumilo, C. Aschermann, A. Abbasi, S. Wörner, and T. Holz, “Nyx: Greybox hypervisor fuzzing using fast snapshots and affne types,” in 30th USENIX Security Symposium (USENIX Security 21), pp. 2597–2614, 2021
S. Schumilo, C. Aschermann, A. Jemmett, A. Abbasi, and T. Holz, “Nyx-net: network fuzzing with incremental snapshots,” in Proceedings of the Seventeenth European Conference on Computer Systems, pp. 166–180, 2022.
J. Li, S. Li, G. Sun, T. Chen, and H. Yu, “Snpsfuzzer: A fast greybox fuzzer for stateful network protocols using snapshots,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 2673–2687, 2022.
R. Natella, “Stateafl: Greybox fuzzing for stateful network servers,” Empirical Software Engineering, vol. 27, no. 7, p. 191, 2022
J. Ba, M. Böhme, Z. Mirzamomen, and A. Roychoudhury, “Stateful greybox fuzzing,” in 31st USENIX Security Symposium (USENIX Security 22), pp. 3255–3272, 2022.
C. Aschermann, S. Schumilo, A. Abbasi, and T. Holz, “Ijon: Exploring deep state spaces via fuzzing,” in 2020 IEEE Symposium on Security and Privacy (SP), pp. 1597–1612, IEEE, 2020.
Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna, “SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis,” in IEEE Symposium on Security and Privacy, 2016
V. Chipounov, V. Kuznetsov, and G. Candea, “S2e: A platform for in-vivo multipath analysis of software systems,” Acm Sigplan Notices, vol. 46, no. 3, pp. 265–278,2011.
I. Yun, S. Lee, M. Xu, Y. Jang, and T. Kim, “{QSYM}: A practical concolic execution engine tailored for hybrid fuzzing,” in 27th USENIX Security Symposium (USENIX Security 18), pp. 745–761, 2018.
S. Poeplau and A. Francillon, “Symbolic execution with {SymCC}: Don’t interpret, compile!,” in 29th USENIX Security Symposium (USENIX Security 20), pp. 181–198, 2020.
S. Poeplau and A. Francillon, “Symqemu: Compilation-based symbolic execution for binaries,” in NDSS 2021, Network and Distributed System Security Symposium, Internet Society, 2021.
L. Borzacchiello, E. Coppa, and C. Demetrescu, “Fuzzolic: Mixing fuzzing and concolic execution,” Computers & Security, vol. 108, p. 102368, 2021
S. Zhou, Z. Yang, D. Qiao, P. Liu, M. Yang, Z. Wang, and C. Wu, “Ferry:{StateAware} symbolic execution for exploring {State-Dependent} program paths,” in 31st USENIX Security Symposium (USENIXSecurity 22), pp. 4365–4382, 2022.
D. Bruening and T. Garnett, “Building dynamic instrumentation tools with dynamorio,” in Proc. Int. Conf. IEEE/ACM Code Generation and Optimi zation (CGO), Shen Zhen, China, 2013.
F. Saudel and J. Salwan, “Triton: A dynamic symbolic execution framework,” in Symposium sur la sécurité des technologies de l’information et des communications, SSTIC, France, Rennes, pp. 31–54, 2015.