Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ChatHTTPFuzz: Large Language Model-Assisted IoT HTTP Fuzzing

Zhe Yang, Hao Peng, Yanling Jiang, Xingwei Li, Haohua Du, Shuhai Wang, Jianwei Liu

TL;DR

This paper investigates and finds that large language models (LLMs) excel in parsing HTTP protocol data and analyzing code logic, and proposes a novel LLM-guided IoT HTTP fuzzing method, ChatHTTPFuzz, which automatically parses protocol fields and analyzes service code logic to generate protocol-compliant test cases.

Abstract

Internet of Things (IoT) devices offer convenience through web interfaces, web VPNs, and other web-based services, all relying on the HTTP protocol. However, these externally exposed HTTP services resent significant security risks. Although fuzzing has shown some effectiveness in identifying vulnerabilities in IoT HTTP services, most state-of-the-art tools still rely on random mutation trategies, leading to difficulties in accurately understanding the HTTP protocol's structure and generating many invalid test cases. Furthermore, These fuzzers rely on a limited set of initial seeds for testing. While this approach initiates testing, the limited number and diversity of seeds hinder comprehensive coverage of complex scenarios in IoT HTTP services. In this paper, we investigate and find that large language models (LLMs) excel in parsing HTTP protocol data and analyzing code logic. Based on these findings, we propose a novel LLM-guided IoT HTTP fuzzing method, ChatHTTPFuzz, which automatically parses protocol fields and analyzes service code logic to generate protocol-compliant test cases. Specifically, we use LLMs to label fields in HTTP protocol data, creating seed templates. Second, The LLM analyzes service code to guide the generation of additional packets aligned with the code logic, enriching the seed templates and their field values. Finally, we design an enhanced Thompson sampling algorithm based on the exploration balance factor and mutation potential factor to schedule seed templates. We evaluate ChatHTTPFuzz on 14 different real-world IoT devices. It finds more vulnerabilities than SNIPUZZ, BOOFUZZ, and MUTINY. ChatHTTPFuzz has discovered 103 vulnerabilities, of which 68 are unique, and 23 have been assigned CVEs.

ChatHTTPFuzz: Large Language Model-Assisted IoT HTTP Fuzzing

TL;DR

This paper investigates and finds that large language models (LLMs) excel in parsing HTTP protocol data and analyzing code logic, and proposes a novel LLM-guided IoT HTTP fuzzing method, ChatHTTPFuzz, which automatically parses protocol fields and analyzes service code logic to generate protocol-compliant test cases.

Abstract

Internet of Things (IoT) devices offer convenience through web interfaces, web VPNs, and other web-based services, all relying on the HTTP protocol. However, these externally exposed HTTP services resent significant security risks. Although fuzzing has shown some effectiveness in identifying vulnerabilities in IoT HTTP services, most state-of-the-art tools still rely on random mutation trategies, leading to difficulties in accurately understanding the HTTP protocol's structure and generating many invalid test cases. Furthermore, These fuzzers rely on a limited set of initial seeds for testing. While this approach initiates testing, the limited number and diversity of seeds hinder comprehensive coverage of complex scenarios in IoT HTTP services. In this paper, we investigate and find that large language models (LLMs) excel in parsing HTTP protocol data and analyzing code logic. Based on these findings, we propose a novel LLM-guided IoT HTTP fuzzing method, ChatHTTPFuzz, which automatically parses protocol fields and analyzes service code logic to generate protocol-compliant test cases. Specifically, we use LLMs to label fields in HTTP protocol data, creating seed templates. Second, The LLM analyzes service code to guide the generation of additional packets aligned with the code logic, enriching the seed templates and their field values. Finally, we design an enhanced Thompson sampling algorithm based on the exploration balance factor and mutation potential factor to schedule seed templates. We evaluate ChatHTTPFuzz on 14 different real-world IoT devices. It finds more vulnerabilities than SNIPUZZ, BOOFUZZ, and MUTINY. ChatHTTPFuzz has discovered 103 vulnerabilities, of which 68 are unique, and 23 have been assigned CVEs.

Paper Structure

This paper contains 36 sections, 3 equations, 12 figures, 10 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. BackGround
  3. HTTP Protocol Fuzzing
  4. Large Language Models
  5. LLMs in Fuzzing
  6. Capability Evaluation: The Impact of Large Language Models on HTTP Protocol Fuzzing
  7. Field Identification: Comprehensive and Precise Annotation
  8. Package Enrichment: Parsing and Generation
  9. Design of ChatHTTPFuzz
  10. LLM-Guided HTTP Protocol Structure Aware
  11. LLM-Guided HTTP Protocol Variable Annotation
  12. Seed Template Structure
  13. LLM-Guided Seed Template Enrichment
  14. Static Analysis Preprocessing
  15. LLM-Guided Packet Generation
  16. ...and 21 more sections

Figures (12)

  • Figure 1: LLM-Assisted Packet Generation. The Upper Part of the Diagram Contains Packets and Code, While the Lower Part Contains Code Only. The Code in the Green Section is Key to Determining the Branching Direction.
  • Figure 2: ChatHTTPFuzz workflow. The green section in the diagram represents our innovation, utilizing LLM for protocol parsing, seed template generation, and packet enrichment. The diagram also includes modules for seed mutation and scheduling, with the system's operational infrastructure shown on the right.
  • Figure 3: Package Prompt. On the left are prompts for annotating Header variables, while on the right are prompts designed for Content.
  • Figure 4: Seed Template Struction. Showcasing HTTP protocol preservation, variable annotations, mutation guidance, and scheduling information.
  • Figure 5: Packet-Code Prompt.
  • ...and 7 more figures