Pham, Van-Thuan, Marcel Böhme, and Abhik Roychoudhury. "Aflnet: a greybox fuzzer for network protocols."
2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)
. IEEE, 2020.
- the first stateful CFG tool(SCGG)
-> mutation-based approach where new message sequences are generated by mutating existing(recorded) message sequences - client: fuzzer & server: fuzz target
- request: message from the client
- response: message from the server
- AFL 기반으로 만들어졌고, socket 통신으로 네트워크 통신을 가능하게 함(standard C Socket API)
- response-receiving channel은 state feedback channel과 code coverage feedback channel로 구성됨.
- AFLNET의 input은 pcap 파일(tcpdump를 통해 request&response 패킷을 캡처함), message exchange의 경우는 wireshark로 추출됨(extract the sequence of FTP requests)
- AFLNET 구조
1. Request Sequences Parser로 message sequence의 initial corpus 생산
2.State Machine Learner : IPSM(implemented protocol state machine)을 새로 관찰된 state와 transition을 추가하여 구성
3. Target State Selector: ipsm에서 AFLNET이 다음으로 주목할 state를 선택 -> statistical data를 사용(가장 적게 실행된 state, code coverage나 state coverage를 높이는 state)
4. Sequence Selector: 선택된 state s를 만들 수 있는 message sequence
5. Sequence Mutator: seed message sequence는 corpus에서 선택되고 -> mutated to generate new sequences
(mutate real message sequences) ->protocol-aware mutation + byte-level mutation
-> interesting한 sequence로 평가되면 -> corpus에 추가! - AFLNET 평가
- BooFuzz, AFLNEW와 비교
- branch coverage, state coverage, number of bugs exposed in 24-hour fuzzing campaigns
- LightFTP, LIVE555(RTSP)
- 2개의 새로운 CVE 견
'논문리딩 > fuzzing' 카테고리의 다른 글
*[Usenix ‘24 fall] SDFuzz: Target States Driven Directed Fuzzing (0) | 2024.05.15 |
---|---|
NSFuzz : Towards Efficient and State-Aware Network Service Fuzzing (0) | 2024.03.27 |
Large Language Model guided Protocol Fuzzing (0) | 2024.03.18 |
SHAPFUZZ: Efficient Fuzzing via Shapley-Guided Byte Selection (0) | 2024.02.20 |