FitM: Binary-Only Coverage-Guided Fuzzing for Stateful Network Protocols

Maier, Dominik; Bittner, Otto; Beier, Julian; Munier, Marc

doi:10.14722/bar.2022.23008

Cited by 9 publications

(3 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Maier et al [11] introduced the Fuzzer in the Middle (FitM) for fuzzing network protocols. Instead of using a simulated socket library, FitM intercepts the emulated system-calls inside the QEMU emulator and sends the input messages to the SUT without the network communication overhead.…”

Section: Related Work With Desock+mentioning

confidence: 99%

On the (in)Efficiency of Fuzzing Network Protocols

Andarzian,

Daniele,

Poll

2024

Preprint

View full text Add to dashboard Cite

Fuzzing is a great technique to find software bugs. However, certain types of systems, notably network protocols, are still challenging to fuzz because of in-efficiency. As an extended version of our previous article, we identify the root causes for overhead in fuzzing network protocols. After that, we categorize and discuss strategies for fuzzing network protocols. As a result, this article presents a comprehensive analysis of all the root causes behind the inefficiency of fuzzing network protocols and all the strategies to avoid them.

show abstract

Section: Related Work With Desock+mentioning

confidence: 99%

On the (in)Efficiency of Fuzzing Network Protocols

Andarzian,

Daniele,

Poll

2024

Preprint

View full text Add to dashboard Cite

show abstract

“…For instance, taint analysis [16,20,28], concolic execution [6,29,30], static analysis [31][32][33], deep learning [34,35] and reinforcement learning [11,22,36] are used to boost fuzzer performance. On the other hand, some work has attempted to transform fuzzing to better test specific types of targets, such as JIT compilers [37][38][39][40], OS kernel [23,[41][42][43], protocol [44,45], rounter [46,47], and smart contracts [48,49]. For example, to find JIT compiler vulnerabilities, some fuzzers use an abstract syntax tree to represent and generate JavaScript code as seeds.…”

Section: Coverage-guided Greybox Fuzzingmentioning

confidence: 99%

Adaptive scheduling-based fine-grained greybox fuzzing for cloud-native applications

Yang,

Liu,

Fang

2024

J Cloud Comp

View full text Add to dashboard Cite

Coverage-guided fuzzing is one of the most popular approaches to detect bugs in programs. Existing work has shown that coverage metrics are a crucial factor in guiding fuzzing exploration of targets. A fine-grained coverage metric can help fuzzing to detect more bugs and trigger more execution states. Cloud-native applications that written by Golang play an important role in the modern computing paradigm. However, existing fuzzers for Golang still employ coarse-grained block coverage metrics, and there is no fuzzer specifically for cloud-native applications, which hinders the bug detection in cloud-native applications. Using fine-grained coverage metrics introduces more seeds and even leads to seed explosion, especially in large targets such as cloud-native applications. Therefore, we employ an accurate edge coverage metric in fuzzer for Golang, which achieves finer test granularity and more accurate coverage information than block coverage metrics. To mitigate the seed explosion problem caused by fine-grained coverage metrics and large target sizes, we propose smart seed selection and adaptive task scheduling algorithms based on a variant of the classical adversarial multi-armed bandit (AMAB) algorithm. Extensive evaluation of our prototype on 16 targets in real-world cloud-native infrastructures shows that our approach detects 233% more bugs than go-fuzz, achieving an average coverage improvement of 100.7%. Our approach effectively mitigates seed explosion by reducing the number of seeds generated by 41% and introduces only 14% performance overhead.

show abstract

“…Researchers continue to refine graybox fuzzing techniques by developing new methodologies for mutating test cases [3,21,33,39], managing test cases [11,43,48], providing feedback on program behavior [15,23,35,47,49] and more [13,34,41,50].…”

Section: Fuzz Testingmentioning

confidence: 99%

CrabSandwich: Fuzzing Rust with Rust (Registered Report)

Crump,

Zhang,

Asif

et al. 2023

Proceedings of the 2nd International Fuzzing Workshop

View full text Add to dashboard Cite

The Rust programming language is one of the fastest-growing programming languages, thanks to its unique blend of high performance execution and memory safety. Still, programs implemented in Rust can contain critical bugs. Apart from logic bugs and crashes, code in unsafe blocks can still trigger memory corruptions. To find these, the community uses traditional fuzzers like LibFuzzer or AFL ++ , in combination with Rust-specific macros. Of course, the fuzzers themselves are still written in memory-unsafe languages.In this paper, we explore the possibility of replacing the input generators with Rust, while staying compatible to existing harnesses. Based on the Rust fuzzer library LibAFL, we develop CrabSandwich, a drop-in replacement for the C ++ component of cargo-fuzz. We evaluate our tool, written in Rust, against the original fuzzer LibFuzzer. We show that we are not only able to successfully fuzz all three targets we tested with CrabSandwich, but outperform cargofuzz in bug coverage. During our preliminary evaluation, we already manage to uncover new bugs in the pdf crate that could not be found by cargo-fuzz, proving the real-world applicability of our approach, and giving us high hopes for the planned follow-up evaluations. CCS CONCEPTS• Security and privacy → Software security engineering.

show abstract

FitM: Binary-Only Coverage-Guided Fuzzing for Stateful Network Protocols

Cited by 9 publications

References 16 publications

On the (in)Efficiency of Fuzzing Network Protocols

On the (in)Efficiency of Fuzzing Network Protocols

Adaptive scheduling-based fine-grained greybox fuzzing for cloud-native applications

CrabSandwich: Fuzzing Rust with Rust (Registered Report)

Contact Info

Product

Resources

About