Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

A Survey of Network Protocol Fuzzing: Model, Techniques and Directions (2402.17394v1)

Published 27 Feb 2024 in cs.NI

Abstract: As one of the most successful and effective software testing techniques in recent years, fuzz testing has uncovered numerous bugs and vulnerabilities in modern software, including network protocol software. In contrast to other fuzzing targets, network protocol software exhibits its distinct characteristics and challenges, introducing a plethora of research questions that need to be addressed in the design and implementation of network protocol fuzzers. While some research work has evaluated and systematized the knowledge of general fuzzing techniques at a high level, there is a lack of similar analysis and summarization for fuzzing research specific to network protocols. This paper offers a comprehensive exposition of network protocol software's fuzzing-related features and conducts a systematic review of some representative advancements in network protocol fuzzing since its inception. We summarize state-of-the-art strategies and solutions in various aspects, propose a unified protocol fuzzing process model, and introduce the techniques involved in each stage of the model. At the same time, this paper also summarizes the promising research directions in the landscape of protocol fuzzing to foster exploration within the community for more efficient and intelligent modern network protocol fuzzing techniques.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (99)
  1. Kif: a stateful sip fuzzer, in: Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications, pp. 47–56.
  2. The advantages of block-based protocol analysis for security testing. Immunity Inc., February 105, 106.
  3. Amini, 2010. Sulley fuzzing framework.
  4. Snapfuzz: high-throughput fuzzing of network applications, in: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 340–351.
  5. Learning regular sets from queries and counterexamples. Information and computation 75, 87–106.
  6. Ijon: Exploring deep state spaces via fuzzing, in: 2020 IEEE Symposium on Security and Privacy (SP), IEEE. pp. 1597–1612.
  7. Stateful greybox fuzzing, in: 31st USENIX Security Symposium (USENIX Security 22), pp. 3255–3272.
  8. Fudge: fuzz driver generation at scale, in: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 975–985.
  9. Snooze: toward a stateful network protocol fuzzer, in: ISC, Springer. pp. 343–358.
  10. Network protocol analysis using bioinformatics algorithms. Toorcon 26, 1095–1098.
  11. Fuzzing: On the exponential cost of vulnerability discovery, in: Proceedings of the 28th ACM joint meeting on European software engineering conference and symposium on the foundations of software engineering, pp. 713–724.
  12. Billions and billions of constraints: Whitebox fuzz testing in production, in: 2013 35th International Conference on Software Engineering (ICSE), IEEE. pp. 122–131.
  13. Lzfuzz: a fast compression-based fuzzer for poorly documented protocols .
  14. No grammar, no problem: Towards fuzzing the linux kernel without system-call descriptions, in: Network and Distributed System Security (NDSS) Symposium.
  15. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis, in: Proceedings of the 14th ACM conference on Computer and communications security, pp. 317–329.
  16. A systematic review of fuzzing techniques. Computers & Security 75, 118–137.
  17. Iotfuzzer: Discovering memory corruptions in iot through app-based fuzzing., in: NDSS.
  18. Exploring effective fuzzing strategies to analyze communication protocols, in: Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation, pp. 17–23.
  19. Prospex: Protocol specification extraction, in: 2009 30th IEEE Symposium on Security and Privacy, IEEE. pp. 110–125.
  20. Difuze: Interface aware fuzzing for kernel drivers, in: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2123–2138.
  21. Imagemagick. URL: https://imagemagick.org/index.php.
  22. Discoverer: Automatic protocol reverse engineering from network traces., in: USENIX Security Symposium, pp. 1–14.
  23. Protocol-independent adaptive replay of application dialog., in: NDSS.
  24. Tupni: Automatic reverse engineering of input formats, in: Proceedings of the 15th ACM conference on Computer and communications security, pp. 391–402.
  25. CVE-2014-0160, 2014. Heartbleed - a vulnerability in openssl. URL: http://heartbleed.com.
  26. Fuzzers for stateful systems: Survey and research directions. arXiv preprint arXiv:2301.02490 .
  27. Fuzzing deep-learning libraries via automated relational api inference, in: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 44–56.
  28. Kameleonfuzz: evolutionary fuzzing for black-box xss detection, in: Proceedings of the 4th ACM conference on Data and application security and privacy, pp. 37–48.
  29. State of the art of network protocol reverse engineering tools. Journal of Computer Virology and Hacking Techniques 14, 53–68.
  30. Peach fuzzing platform. Peach Fuzzer 34, 32–43.
  31. Ffmpeg. URL: https://ffmpeg.org/.
  32. Snipuzz: Black-box fuzzing of iot firmware via message snippet inference, in: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 337–350.
  33. Prognosis: closed-box analysis of network protocol implementations, in: Proceedings of the 2021 ACM SIGCOMM 2021 Conference, pp. 762–774.
  34. Weizz: Automatic grey-box fuzzing for structured binary formats, in: Proceedings of the 29th ACM SIGSOFT international symposium on software testing and analysis, pp. 1–13.
  35. Analysis of dtls implementations using protocol state fuzzing, in: 29th USENIX Security Symposium, Online, August 12–14, 2020, pp. 2523–2540.
  36. Dtls-fuzzer: A dtls protocol state fuzzer, in: 2022 IEEE Conference on Software Testing, Verification and Validation (ICST), IEEE. pp. 456–458.
  37. Combining model learning and model checking to analyze tcp implementations, in: Computer Aided Verification: 28th International Conference, CAV 2016, Toronto, ON, Canada, July 17-23, 2016, Proceedings, Part II 28, Springer. pp. 454–471.
  38. Pulsar: Stateful black-box fuzzing of proprietary network protocols, in: Security and Privacy in Communication Networks: 11th EAI International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Proceedings 11, Springer. pp. 330–347.
  39. Snappy: Efficient fuzzing with adaptive and mutable snapshots .
  40. Random testing for security: blackbox vs. whitebox fuzzing, in: Proceedings of the 2nd international workshop on Random testing: co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2007), pp. 1–1.
  41. Grammar-based whitebox fuzzing, in: Proceedings of the 29th ACM SIGPLAN conference on programming language design and implementation, pp. 206–215.
  42. Autofuzz: Automated network protocol fuzzing framework. Ijcsns 10, 239.
  43. A framework for network protocol software, in: Proceedings OOPSLA ‘95, ACM SIGPLAN Notices.
  44. A unix network protocol security study: Network information service. ACM SIGCOMM Computer Communication Review 22, 24–28.
  45. A model-based approach to security flaw detection of network protocol implementations, in: 2008 IEEE International Conference on Network Protocols, IEEE. pp. 114–123.
  46. Ganfuzz: a gan-based industrial network protocol fuzzing framework, in: Proceedings of the 15th ACM International Conference on Computing Frontiers, pp. 138–145.
  47. Leveraging textual specifications for grammar-based fuzzing of network protocols, in: Proceedings of the AAAI Conference on Artificial Intelligence, pp. 9478–9483.
  48. Software security assessment through specification mutations and fault injection, in: Communications and Multimedia Security Issues of the New Century: IFIP TC6/TC11 Fifth Joint Working Conference on Communications and Multimedia Security (CMS’01) May 21–22, 2001, Darmstadt, Germany, Springer. pp. 173–183.
  49. Hfl: Hybrid fuzzing on the linux kernel., in: NDSS.
  50. Aspfuzz: A state-aware protocol fuzzer based on application-layer protocols, in: The IEEE symposium on Computers and Communications, IEEE. pp. 202–208.
  51. Snpsfuzzer: A fast greybox fuzzer for stateful network protocols using snapshots. IEEE Transactions on Information Forensics and Security 17, 2673–2687.
  52. Fuzzing: a survey. Cybersecurity 1, 1–13.
  53. Protocol fuzzing with specification guided message generation, in: 2021 International Conference on UK-China Emerging Technologies (UCET), IEEE. pp. 164–170.
  54. Fuzzing: State of the art. IEEE Transactions on Reliability 67, 1199–1218.
  55. Automatic protocol format reverse engineering through context-aware monitored execution., in: NDSS, pp. 1–15.
  56. Videzzo: Dependency-aware virtual device fuzzing, in: 2023 IEEE Symposium on Security and Privacy (SP), IEEE Computer Society. pp. 3228–3245.
  57. Bleem: Packet sequence oriented fuzzing for protocol implementations .
  58. Polar: Function code aware fuzz testing of ics protocol. ACM Transactions on Embedded Computing Systems (TECS) 18, 1–22.
  59. Ics protocol fuzzing: coverage guided packet crack and generation, in: 2020 57th ACM/IEEE Design Automation Conference (DAC), IEEE. pp. 1–6.
  60. Fitm: Binary-only coverage-guided fuzzing for stateful network protocols, in: Workshop on Binary Analysis Research (BAR).
  61. The art, science, and engineering of fuzzing: A survey. IEEE Transactions on Software Engineering 47, 2312–2331.
  62. An empirical study of the reliability of unix utilities. Communications of the ACM 33, 32–44.
  63. Network protocol fuzz testing for information systems and applications: a survey and taxonomy. Multimedia tools and applications 75, 14745–14757.
  64. A survey of automatic protocol reverse engineering tools. ACM Computing Surveys (CSUR) 48, 1–26.
  65. Stateafl: Greybox fuzzing for stateful network servers. Empirical Software Engineering 27, 191.
  66. Violating assumptions with fuzzing. IEEE Security & Privacy 3, 58–62.
  67. V-shuttle: Scalable and semantics-aware hypervisor virtual device fuzzing, in: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 2197–2213.
  68. boofuzz: A fork and successor of the sulley fuzzing framework.
  69. Aflnet: a greybox fuzzer for network protocols, in: 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST), IEEE. pp. 460–465.
  70. Instructions to RFC authors. Technical Report.
  71. Nsfuzz: Towards efficient and state-aware network service fuzzing. ACM Transactions on Software Engineering and Methodology .
  72. Dynamic testing via automata learning. International journal on software tools for technology transfer 11, 307–324.
  73. Learnlib: a framework for extrapolating behavioral models. International journal on software tools for technology transfer 11, 393–407.
  74. Diane: Identifying fuzzing triggers in apps to generate under-constrained inputs for iot devices, in: 2021 IEEE Symposium on Security and Privacy (SP), IEEE. pp. 484–500.
  75. Protocol state fuzzing of {{\{{TLS}}\}} implementations, in: 24th {{\{{USENIX}}\}} Security Symposium ({{\{{USENIX}}\}} Security 15), pp. 193–206.
  76. Nyx: Greybox hypervisor fuzzing using fast snapshots and affine types., in: USENIX Security Symposium, pp. 2597–2614.
  77. kafl: Hardware-assisted feedback fuzzing for os kernels., in: USENIX Security Symposium, pp. 167–182.
  78. Nyx-net: network fuzzing with incremental snapshots, in: Proceedings of the Seventeenth European Conference on Computer Systems, pp. 166–180.
  79. libfuzzer–a library for coverage-guided fuzz testing. LLVM project .
  80. Oss-fuzz-google’s continuous fuzzing service for open source software, in: USENIX Security symposium, USENIX Association.
  81. {{\{{AIFORE}}\}}: Smart fuzzing based on automatic input format reverse engineering, in: 32nd USENIX Security Symposium (USENIX Security 23), pp. 4967–4984.
  82. The proxyfuzz project. URL: https://src.fedoraproject.org/rpms/proxyfuzz.
  83. Systematic fuzzing and testing of tls libraries, in: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp. 1492–1504.
  84. Agamotto: Accelerating kernel driver fuzzing with lightweight virtual machine checkpoints, in: Proceedings of the 29th USENIX Conference on Security Symposium, pp. 2541–2557.
  85. Ipspex: Enabling efficient fuzzing via specification extraction on ics protocol, in: Applied Cryptography and Network Security: 20th International Conference, ACNS 2022, Rome, Italy, June 20–23, 2022, Proceedings, Springer. pp. 356–375.
  86. Secfuzz: Fuzz-testing security protocols, in: 2012 7th International Workshop on Automation of Software Test (AST), IEEE. pp. 1–7.
  87. Superion: Grammar-aware greybox fuzzing, in: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), IEEE. pp. 724–735.
  88. Not all coverage measurements are equal: Fuzzing by coverage accounting for input prioritization., in: NDSS.
  89. Free lunch for testing: Fuzzing deep-learning libraries from open source, in: Proceedings of the 44th International Conference on Software Engineering, pp. 995–1007.
  90. Automatic network protocol analysis., in: NDSS, Citeseer. pp. 1–14.
  91. Designing new operating primitives to improve fuzzing performance, in: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2313–2328.
  92. Profuzzer: On-the-fly input type probing for better zero-day vulnerability discovery, in: 2019 IEEE symposium on security and privacy (SP), IEEE. pp. 769–786.
  93. Fuzzing of embedded systems: A survey. ACM Computing Surveys 55, 1–33.
  94. American fuzzy lop.
  95. {{\{{APICraft}}\}}: Fuzz driver generation for closed-source {{\{{SDK}}\}} libraries, in: 30th USENIX Security Symposium (USENIX Security 21), pp. 2811–2828.
  96. Seqfuzzer: An industrial protocol fuzzing framework from a deep learning perspective, in: 2019 12th IEEE Conference on software testing, validation and verification (ICST), IEEE. pp. 59–67.
  97. Fuzzing: a survey for roadmap. ACM Computing Surveys (CSUR) 54, 1–36.
  98. Vulnerability detection of ics protocols via cross-state fuzzing. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 41, 4457–4468.
  99. Pavfuzz: State-sensitive fuzz testing of protocols in autonomous vehicles, in: 2021 58th ACM/IEEE Design Automation Conference (DAC), IEEE. pp. 823–828.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Shihao Jiang (6 papers)
  2. Yu Zhang (1400 papers)
  3. Junqiang Li (3 papers)
  4. Hongfang Yu (35 papers)
  5. Long Luo (8 papers)
  6. Gang Sun (48 papers)