AspFuzz: A state-aware protocol fuzzer based on application-layer protocols

In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most of the previously reported attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. It then sends the generated messages in both anomalous orders and correct orders. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers.

[1]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[2]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[3]  Peng Ning,et al.  Memsherlock: an automated debugger for unknown memory corruption vulnerabilities , 2007, CCS '07.

[4]  Arash Baratloo,et al.  Libsafe: Protecting Critical Elements of Stacks , 2003 .

[5]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[6]  Miguel Correia,et al.  Using Attack Injection to Discover New Vulnerabilities , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[7]  Kevin C. Almeroth,et al.  SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr , 2006, ISC.

[8]  Dave Aitel,et al.  The Advantages of Block - Based Protocol Analysis for Security Testing , 2002 .

[9]  David A. Wagner,et al.  Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs , 2009, USENIX Security Symposium.

[10]  Radu State,et al.  KiF: a stateful SIP fuzzer , 2007, IPTComm '07.

[11]  Ryan Cunningham,et al.  Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[12]  Martin Vuagnoux,et al.  Autodafé: an Act of Software Torture , 2005 .

[13]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[14]  Jeffrey S. Foster,et al.  Rule-based static analysis of network protocol implementations , 2006, Inf. Comput..

[15]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.