基于双重覆盖信息协同的协议模糊测试
作者:
基金项目:

国家自然科学基金(62072448)


Protocol Fuzz Testing Based on Double Coverage Information Coordination
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [32]
  • |
  • 相似文献 [20]
  • | | |
  • 文章评论
    摘要:

    模糊测试在挖掘协议软件安全漏洞、提高安全性方面发挥着巨大的作用. 近年来将状态引入服务端程序模糊测试受到广泛关注. 本文针对现有方法未充分利用协议模糊测试过程信息、无法持续关注重点状态, 导致模糊测试效率较低的问题, 提出了基于双重覆盖信息协同的协议模糊测试方法. 首先, 本文提出的状态选择算法, 通过建立状态空间到程序空间的映射, 利用启发式的计算方法为每个状态设置权重, 以引导模糊测试持续关注更可能存在缺陷的状态. 其次, 快速探测种子不影响状态但改变程序覆盖的位置, 并限制变异位置以充分测试重点状态对应的代码区域. 本文在基线工具AFLNet和SnapFuzz上验证了改进算法的有效性, 并最终集成实现了协议模糊测试工具C2SFuzz. 对LightFTP、Live555等协议服务端程序最新版进行了实验后, 发现5个未知的漏洞.

    Abstract:

    Fuzzing plays a significant role in discovering security vulnerabilities and improving security in protocol software. In recent years, the introduction of the state into server program fuzzing has received widespread attention. This study addresses the problem of low efficiency of fuzzing due to the insufficient utilization of information in the protocol fuzzing process and the inability to continuously focus on key states. The study also proposes a protocol fuzzing method based on the cooperation of double cover information. Firstly, the state selection algorithm proposed in this study sets weights for each state by mapping the state space to the program space and using heuristic calculation methods to guide the fuzzing to continuously focus on states that are more likely to have defects. Secondly, the study detects a seed position that will not affect the state but can change the program coverage and restricts the mutation position to adequately test the code area corresponding to the focus state. The study also verifies the effectiveness of the improved algorithm on the baseline tools AFLNet and SnapFuzz and integrates them into a protocol fuzzing tool, namely C2SFuzz. Experiments are carried out on the latest version of protocol server programs such as LightFTP and Live555, and five unknown vulnerabilities are detected.

    参考文献
    [1] 任泽众, 郑晗, 张嘉元, 等. 模糊测试技术综述. 计算机研究与发展, 2021, 58(5): 944–963. [doi: 10.7544/issn1000-1239.2021.20201018
    [2] Pfrang S, Meier D, Friedrich M, et al. Advancing protocol fuzzing for industrial automation and control systems. Proceedings of the 4th International Conference on Information Systems Security and Privacy. Funchal: SciTePress, 2018. 570–580.
    [3] 李伟明, 张爱芳, 刘建财, 等. 网络协议的自动化模糊测试漏洞挖掘方法. 计算机学报, 2011, 34(2): 242–255
    [4] Zhang H, Zhang Z, Tang W. Improve peach: Making network protocol fuzz testing more precisely. Applied Mechanics and Materials, 2014, 551: 642–647. [doi: 10.4028/www.scientific.net/AMM.551.642
    [5] Pereyda J. BooFuzz: A fork and successor of the Sulley fuzzing framework. https://github.com/jtpereyda/boofuzz. (2020-04-29)[2023-01-26].
    [6] Zhao H, Li ZH, Wei HS, et al. SeqFuzzer: An industrial protocol fuzzing framework from a deep learning perspective. Proceedings of the 12th IEEE Conference on Software Testing, Validation and Verification (ICST). Xi’an: IEEE, 2019. 59–67.
    [7] Pham VT, Böhme M, Roychoudhury A. AFLNET: A greybox fuzzer for network protocols. Proceedings of the 13th IEEE International Conference on Software Testing, Validation and Verification (ICST). Porto: IEEE, 2020. 460–465.
    [8] Ba JS, Böhme M, Mirzamomen Z, et al. Stateful greybox fuzzing. Proceedings of the 31st USENIX Security Symposium. Boston: USENIX Association, 2022. 3255–3272.
    [9] Andronidis A, Cadar C. SnapFuzz: High-throughput fuzzing of network applications. Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, 2022. 340–351.
    [10] Hu ZH, Pan ZL. A systematic review of network protocol fuzzing techniques. Proceedings of the 4th IEEE Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC). Chongqing: IEEE, 2021. 1000–1005.
    [11] Liu DG, Pham VT, Ernst G, et al. State selection algorithms and their impact on the performance of stateful network protocol fuzzing. Proceedings of the 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). Honolulu: IEEE, 2022. 720–730.
    [12] Fang DL, Song ZW, Guan L, et al. ICS3Fuzzer: A framework for discovering protocol implementation bugs in ICS supervisory software by fuzzing. Proceedings of the 2021 Annual Computer Security Applications Conference. ACM, 2021. 849–860.
    [13] You W, Wang XQ, Ma SQ, et al. Profuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP). San Francisco: IEEE, 2019. 769–786.
    [14] Klees G, Ruef A, Cooper B, et al. Evaluating fuzz testing. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Toronto: ACM, 2018. 2123–2138.
    [15] Wang ZQ, Li QQ, Wang YZ, et al. Medical protocol security: DICOM vulnerability mining based on fuzzing technology. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. London: ACM, 2019. 2549–2551.
    [16] Fiterau-Brostean P, Jonsson B, Merget R, et al. Analysis of DTLS implementations using protocol state fuzzing. Proceedings of the 29th USENIX Security Symposium. USENIX Association, 2020. 2523–2540.
    [17] Gascon H, Wressnegger C, Yamaguchi F, et al. PULSAR: Stateful black-box fuzzing of proprietary network protocols. Proceedings of the 11th International Conference on Security and Privacy in Communication Systems. Dallas: Springer, 2015. 330–347.
    [18] Takanen A, DeMott JD, Miller C, et al. Fuzzing for Software Security Testing and Quality Assurance. Boston: Artech House, 2018.
    [19] Gao ZC, Dong WY, Chang R, et al. Fw-fuzz: A code coverage-guided fuzzing framework for network protocols on firmware. Concurrency and Computation: Practice and Experience, 2022, 34(16): e5756
    [20] de Ruiter J, Poll E. Protocol state fuzzing of TLS implementations. Proceedings of the 24th USENIX Security Symposium. Washington: USENIX Association, 2015. 193–206.
    [21] Daniel LA, Poll E, de Ruiter J. Inferring OpenVPN state machines using protocol state fuzzing. Proceedings of the 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). London: IEEE, 2018. 11–19.
    [22] Fiterău-Broştean P, Janssen R, Vaandrager F. Combining model learning and model checking to analyze TCP implementations. Proceedings of the 28th International Conference on Computer Aided Verification. Toronto: Springer, 2016. 454–471.
    [23] Fiterău-Broştean P, Lenaerts T, Poll E, et al. Model learning and model checking of SSH implementations. Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software. Santa Barbara: ACM, 2017. 142–151.
    [24] Guo JX, Gu CX, Chen X, et al. Model learning and model checking of IPSec implementations for Internet of Things. IEEE Access, 2019, 7: 171322–171332. [doi: 10.1109/ACCESS.2019.2956062
    [25] Yu ZH, Wang HL, Wang D, et al. CGFuzzer: A fuzzing approach based on coverage-guided generative adversarial networks for industrial IoT protocols. IEEE Internet of Things Journal, 2022, 9(21): 21607–21619. [doi: 10.1109/JIOT.2022.3183952
    [26] Cho CY, Babić D, Poosankam P, et al. MACE: Model-inference-assisted concolic exploration for protocol and vulnerability discovery. Proceedings of the 20th USENIX Conference on Security. San Francisco: USENIX Association, 2011. 10.
    [27] Zhang T, Jiang Y, Guo RS, et al. A survey of hybrid fuzzing based on symbolic execution. Proceedings of the 2020 International Conference on Cyberspace Innovation of Advanced Technologies. Guangzhou: ACM, 2020. 192–196.
    [28] Aschermann C, Schumilo S, Abbasi A, et al. Ijon: Exploring deep state spaces via fuzzing. Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP). San Francisco: IEEE, 2020. 1597–1612.
    [29] Fioraldi A, D’Elia DC, Balzarotti D. The use of likely inva-riants as feedback for fuzzers. Proceedings of the 30th USENIX Security Symposium. USENIX Association, 2021. 2829–2846.
    [30] Natella R. STATEAFL: Greybox fuzzing for stateful network servers. Empirical Software Engineering, 2022, 27(7): 191. [doi: 10.1007/s10664-022-10233-3
    [31] Qin S, Hu F, Zhao B, et al. NSFuzz: Towards efficient and state-aware network service fuzzing. ACM Transactions on Software Engineering and Methodology, 2023.
    [32] Li JQ, Li SY, Sun G, et al. SNPSFuzzer: A fast greybox fuzzer for stateful network protocols using snapshots. IEEE Transactions on Information Forensics and Security, 2022, 17: 2673–2687. [doi: 10.1109/TIFS.2022.3192991
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

张颖君,周赓,程亮,孙晓山,张阳.基于双重覆盖信息协同的协议模糊测试.计算机系统应用,2023,32(9):32-42

复制
分享
文章指标
  • 点击次数:810
  • 下载次数: 2189
  • HTML阅读次数: 1299
  • 引用次数: 0
历史
  • 收稿日期:2023-02-17
  • 最后修改日期:2023-03-14
  • 在线发布日期: 2023-07-21
文章二维码
您是第11208964位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京海淀区中关村南四街4号 中科院软件园区 7号楼305房间,邮政编码:100190
电话:010-62661041 传真: Email:csa (a) iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号