Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Stateful protocol fuzzing with statemap-based reverse state selection

Liu Yu, Shen Yanlong, Zhou Ying

TL;DR

This work tackles state explosion and underutilization of bitmap-state relationships in stateful protocol fuzzing. It introduces SMGFuzz, which uses a statemap to discretize the target protocol's state machine and a reverse state selection that prioritizes bitmap coverage for seed mutation. The approach defines statepoints, an ASTS algorithm to build the statemap, and a message-sequence construction strategy that reduces sequence length while preserving coverage. Empirical results on ProFuzzBench show SMGFuzz achieving higher edge coverage, more unique crashes, and faster fuzzing compared to AFLNet, with SnapFuzz providing additional speedups.

Abstract

Stateful Coverage-Based Greybox Fuzzing (SCGF) is considered the state-of-the-art method for network protocol greybox fuzzing. During the protocol fuzzing process, SCGF constructs the state machine of the target protocol by identifying protocol states. Optimal states are selected for fuzzing using heuristic methods, along with corresponding seeds and mutation regions, to effectively conduct fuzz testing. Nevertheless, existing SCGF methodologies prioritise the selection of protocol states without considering the correspondence between program basic block coverage information and protocol states. To address this gap, this paper proposes a statemap-based reverse state selection method for SCGF. This approach prioritises the coverage information of fuzzy test seeds, and delves deeper into the correspondence between the basic block coverage information of the programme and the protocol state, with the objective of improving the bitmap coverage. The state map is employed to simplify the state machine representation method. Furthermore, the design of different types of states has enabled the optimisation of the method of constructing message sequences, the reduction in the length of message sequences further improve the efficiency of test case execution. By optimising the SCGF, we developed SMGFuzz and conducted experiments utilising Profuzzbench in order to assess the testing efficiency of SMGFuzz.The results indicate that compared to AFLNet, SMGFuzz achieved an average increase of 12.48% in edges coverage, a 50.1% increase in unique crashes and a 40.2% increase in test case execution speed over a period of 24 hours.

Stateful protocol fuzzing with statemap-based reverse state selection

TL;DR

This work tackles state explosion and underutilization of bitmap-state relationships in stateful protocol fuzzing. It introduces SMGFuzz, which uses a statemap to discretize the target protocol's state machine and a reverse state selection that prioritizes bitmap coverage for seed mutation. The approach defines statepoints, an ASTS algorithm to build the statemap, and a message-sequence construction strategy that reduces sequence length while preserving coverage. Empirical results on ProFuzzBench show SMGFuzz achieving higher edge coverage, more unique crashes, and faster fuzzing compared to AFLNet, with SnapFuzz providing additional speedups.

Abstract

Stateful Coverage-Based Greybox Fuzzing (SCGF) is considered the state-of-the-art method for network protocol greybox fuzzing. During the protocol fuzzing process, SCGF constructs the state machine of the target protocol by identifying protocol states. Optimal states are selected for fuzzing using heuristic methods, along with corresponding seeds and mutation regions, to effectively conduct fuzz testing. Nevertheless, existing SCGF methodologies prioritise the selection of protocol states without considering the correspondence between program basic block coverage information and protocol states. To address this gap, this paper proposes a statemap-based reverse state selection method for SCGF. This approach prioritises the coverage information of fuzzy test seeds, and delves deeper into the correspondence between the basic block coverage information of the programme and the protocol state, with the objective of improving the bitmap coverage. The state map is employed to simplify the state machine representation method. Furthermore, the design of different types of states has enabled the optimisation of the method of constructing message sequences, the reduction in the length of message sequences further improve the efficiency of test case execution. By optimising the SCGF, we developed SMGFuzz and conducted experiments utilising Profuzzbench in order to assess the testing efficiency of SMGFuzz.The results indicate that compared to AFLNet, SMGFuzz achieved an average increase of 12.48% in edges coverage, a 50.1% increase in unique crashes and a 40.2% increase in test case execution speed over a period of 24 hours.
Paper Structure (41 sections, 5 equations, 9 figures, 3 tables, 3 algorithms)

This paper contains 41 sections, 5 equations, 9 figures, 3 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. BACKGROUND
  3. Coverage-based greybox fuzzing
  4. SCGF
  5. Motivation
  6. Constructing a complete state machine for the SUT is always a challenge.
  7. Time and resource consuming
  8. Inprecision
  9. Discretizing the Abstraction of IPSM
  10. Bitmap in SCGF
  11. Relationship Between Bitmap and IPSM
  12. CGF as Markov Chain
  13. SCGF as Markov Chain
  14. Reverse State Selection as Markov Chain
  15. Message Sequence Construction in SCGF
  16. ...and 26 more sections

Figures (9)

  • Figure 1: The architecture of AFLNet
  • Figure 2: Caption of the image
  • Figure 3: Architecture of SMGFuzz
  • Figure 4: Statemap Design
  • Figure 5: Statepoint Design
  • ...and 4 more figures