Uses of Active and Passive Learning in Stateful Fuzzing

TL;DR

The paper addresses the challenge of fuzzing stateful systems by advocating the use of active and passive learning to infer state models that guide fuzzing, benchmarking, and differential testing. It surveys active learning approaches, rooted in state-machine inference, and passive learning that leverages pre-collected traces to construct models, highlighting how these can complement stateful fuzzing. It identifies three combination modes—improving fuzzing effectiveness, benchmarking fuzzers, and differential testing across implementations—and illustrates potential benefits with examples of differing FTP state models. The findings suggest that integrating these learning-based models with fuzzers can enhance state coverage, enable more meaningful comparisons, and help uncover protocol or implementation flaws, with practical impact in security testing and quality assurance; the work is supported by NWO under INTERSECT.

Abstract

This paper explores the use of active and passive learning, i.e.\ active and passive techniques to infer state machine models of systems, for fuzzing. Fuzzing has become a very popular and successful technique to improve the robustness of software over the past decade, but stateful systems are still difficult to fuzz. Passive and active techniques can help in a variety of ways: to compare and benchmark different fuzzers, to discover differences between various implementations of the same protocol, and to improve fuzzers.

Figures (5)

• Figure 1: State model of LightFTP inferred by the active learning tool LearnLibLearnLib
• Figure 2: State model of LightFTP inferred by AFLNet and the passive learning tool FlexFringeverwer2017flexfringe
• Figure 3: State model for ProFTPd inferred by LearnLib
• Figure 4: State model for PureFTPd inferred by LearnLib
• Figure 5: State model for bftpd inferred by LearnLib