HFuzz: Towards automatic fuzzing testing of NB-IoT core network protocols implementations

Abstract Narrowband Internet of Things (NB-loT) is widely deployed in the cellular network of operators, yet implementations of its core network protocols are suffering from bugs. Due to the complexity of the frame structure of NB-IoT core network protocols, testing the protocols in this field is notoriously difficult. In this paper, we propose a novel fuzzing framework, named HFuzz, to generate a great many high-quality test inputs automatically. HFuzz is an automatic hierarchy-aware fuzzing framework and can allocate computing resources efficiently. We put forward the concept of Message Structure Tree to transform the seed file and generate mutated data of the tested protocols and optimize the resource allocation for each hierarchy of the transformed structure by a novel scheduling algorithm. Therefore HFuzz can get a balance between breadth and depth in finding new paths. Compared to traditional fuzzing tools, HFuzz can easily pass the early verification and induce a better coverage of the target implementations by taking full advantage of format information of NB-IoT core network protocols. Our framework applies to various protocols, and we evaluate the performance of HFuzz on GPRS Tunneling Protocol version 2(GTPv2) in this paper and conduct experiments with two protocol implementations, Open Air Interface (OAI) and B*(a development system). The experimental results show HFuzz yields higher coverage than American Fuzzy Lop (AFL) and Peach, and we further find a real implementation bug in OAI.

[1]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[2]  David Brumley,et al.  Scheduling black-box mutational fuzzing , 2013, CCS.

[3]  Radu State,et al.  KiF: a stateful SIP fuzzer , 2007, IPTComm '07.

[4]  Richard McNally,et al.  Fuzzing: The State of the Art , 2012 .

[5]  Chen Chen,et al.  A systematic review of fuzzing techniques , 2018, Comput. Secur..

[6]  Bo Yu,et al.  SPFuzz: A Hierarchical Scheduling Framework for Stateful Network Protocol Fuzzing , 2019, IEEE Access.

[7]  Ramon Sanchez-Iborra,et al.  State of the Art in LP-WAN Solutions for Industrial IoT Services , 2016, Sensors.

[8]  Patrice Godefroid Random testing for security: blackbox vs. whitebox fuzzing , 2007, RT '07.

[9]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[10]  Kevin C. Almeroth,et al.  SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr , 2006, ISC.

[11]  Yang Xu,et al.  A Blockchain-Based Nonrepudiation Network Computing Service Scheme for Industrial IoT , 2019, IEEE Transactions on Industrial Informatics.

[12]  Muhammad Torabi Dashti,et al.  Semi-valid input coverage for fuzz testing , 2013, ISSTA.

[13]  Baojiang Cui,et al.  A Method of Information Protection for Collaborative Deep Learning under GAN Model Attack , 2019, IEEE/ACM Transactions on Computational Biology and Bioinformatics.

[14]  Axel Sikora,et al.  Exploiting Dissent: Towards Fuzzing-Based Differential Black-Box Testing of TLS Implementations , 2020, IEEE Transactions on Dependable and Secure Computing.

[15]  Junfeng Yang,et al.  NEUZZ: Efficient Fuzzing with Neural Program Learning , 2018, ArXiv.

[16]  Yang Liu,et al.  Skyfire: Data-Driven Seed Generation for Fuzzing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[17]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[18]  Muhammad Torabi Dashti,et al.  SECFUZZ: Fuzz-testing security protocols , 2012, 2012 7th International Workshop on Automation of Software Test (AST).

[19]  Sanjay Bhansali,et al.  Framework for instruction-level tracing and analysis of program executions , 2006, VEE '06.

[20]  Peter Oehlert,et al.  Violating Assumptions with Fuzzing , 2005, IEEE Secur. Priv..

[21]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[22]  Arnold Rosenbloom,et al.  AutoFuzz: Automated Network Protocol Fuzzing Framework , 2010 .

[23]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[24]  Ryan Cunningham,et al.  Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[25]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[26]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[27]  Saad Z. Asif 3GPP Evolved Packet System (EPS) , 2010 .

[28]  Jiafu Wan,et al.  Security in the Internet of Things: A Review , 2012, 2012 International Conference on Computer Science and Electronics Engineering.

[29]  Antonio F. Gómez-Skarmeta,et al.  Performance Evaluation of LoRa Considering Scenario Conditions , 2018, Sensors.

[30]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[31]  Helmut Veith,et al.  An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries , 2008, VMCAI.

[32]  Roland Groz,et al.  A Taint Based Approach for Smart Fuzzing , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.