본문 바로가기
논문리딩/fuzzing

AFLNET: A Greybox Fuzzer for Network Protocols

by sonysame 2024. 3. 26.
Pham, Van-Thuan, Marcel Böhme, and Abhik Roychoudhury. "Aflnet: a greybox fuzzer for network protocols." 
2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)
. IEEE, 2020.

 

  • the first stateful CFG tool(SCGG)
    -> mutation-based approach where new message sequences are generated by mutating existing(recorded) message sequences
  • client: fuzzer & server: fuzz target
  • request: message from the client
  • response: message from the server
  • AFL 기반으로 만들어졌고, socket 통신으로 네트워크 통신을 가능하게 함(standard C Socket API)
  • response-receiving channel은 state feedback channel과 code coverage feedback channel로 구성됨.

 

  • AFLNET의 input은 pcap 파일(tcpdump를 통해 request&response 패킷을 캡처함), message exchange의 경우는 wireshark로 추출됨(extract the sequence of FTP requests)
  • AFLNET 구조
    1. Request Sequences Parser로 message sequence의 initial corpus 생산
    2.State Machine Learner : IPSM(implemented protocol state machine)을 새로 관찰된 state와 transition을 추가하여 구성
    3. Target State Selector: ipsm에서 AFLNET이 다음으로 주목할 state를 선택 -> statistical data를 사용(가장 적게 실행된 state, code coverage나 state coverage를 높이는 state)
    4. Sequence Selector: 선택된 state s를 만들 수 있는 message sequence
    5. Sequence Mutator: seed message sequence는 corpus에서 선택되고 -> mutated to generate new sequences
       (mutate real message sequences) ->protocol-aware mutation + byte-level mutation
       -> interesting한 sequence로 평가되면 -> corpus에 추가!
  • AFLNET 평가
    - BooFuzz, AFLNEW와 비교
    - branch coverage, state coverage, number of bugs exposed in 24-hour fuzzing campaigns
    - LightFTP, LIVE555(RTSP)
    - 2개의 새로운 CVE 견