Learning-Guided Fuzzing for Testing Stateful SDN Controllers

TL;DR

This paper tackles the challenge of testing stateful SDN controllers, where failures may arise only after complex sequences of control messages. It introduces SeqFuzzSDN, a learning-guided fuzzing framework that sniffs OpenFlow-like messages, mutates sequences with five fuzz operators, learns failure-inducing EFSMs with Mint and RIPPER, and plans fuzzing paths via a multi-objective NSGA-II search. Empirical results on ONOS and RYU show SeqFuzzSDN yields more diverse, effective tests and more accurate EFSMs than extended baselines (FuzzSDN, Delta, Beads), with scalability largely independent of network size due to sampling-based learning. The work advances practical, instrumentation-free testing of stateful SDN controllers and provides artifacts for reproducibility and further research.

Abstract

Controllers for software-defined networks (SDNs) are centralised software components that enable advanced network functionalities, such as dynamic traffic engineering and network virtualisation. However, these functionalities increase the complexity of SDN controllers, making thorough testing crucial. SDN controllers are stateful, interacting with multiple network devices through sequences of control messages. Identifying stateful failures in an SDN controller is challenging due to the infinite possible sequences of control messages, which result in an unbounded number of stateful interactions between the controller and network devices. In this article, we propose SeqFuzzSDN, a learning-guided fuzzing method for testing stateful SDN controllers. SeqFuzzSDN aims to (1) efficiently explore the state space of the SDN controller under test, (2) generate effective and diverse tests (i.e., control message sequences) to uncover failures, and (3) infer accurate failure-inducing models that characterise the message sequences leading to failures. In addition, we compare SeqFuzzSDN with three extensions of state-of-the-art (SOTA) methods for fuzzing SDNs. Our findings show that, compared to the extended SOTA methods, SeqFuzzSDN (1) generates more diverse message sequences that lead to failures within the same time budget, and (2) produces more accurate failure-inducing models, significantly outperforming the other extended SOTA methods in terms of sensitivity.

Figures (15)

• Figure 1: An SDN topology example.
• Figure 2: Approach overview. To test a stateful SDN controller, SeqFuzzSDN fuzzes control message sequences guided by inferred extended finite state machines (EFSMs) that capture failure-inducing message sequences.
• Figure 3: A data flow example of fuzzing by applying either the deletion, insertion, duplication, delay, or modification operator.
• Figure 4: A simplified EFSM example produced by SeqFuzzSDN. The $\uparrow$ and $\downarrow$ arrows indicate that the corresponding control messages are received and sent, respectively, by the controller under test.
• Figure 5: An example illustration of generating a candidate solution from a simple EFSM: (a) a simple EFSM for clarity, (b) two shortest paths from S0 to S2, and (c) a candidate solution and its associated fuzz operator, i.e., delay.