Leveraging Textual Specifications for Grammar-based Fuzzing of Network Protocols

Grammar-based fuzzing is a technique used to find software vulnerabilities by injecting well-formed inputs generated following rules that encode application semantics. Most grammar-based fuzzers for network protocols rely on human experts to manually specify these rules. In this work we study automated learning of protocol rules from textual specifications (i.e. RFCs). We evaluate the automatically extracted protocol rules by applying them to a state-of-the-art fuzzer for transport protocols and show that it leads to a smaller number of test cases while finding the same attacks as the system that uses manually specified rules.

[1]  Geoffrey E. Hinton,et al.  Zero-shot Learning with Semantic Output Codes , 2009, NIPS.

[2]  Radu State,et al.  KiF: a stateful SIP fuzzer , 2007, IPTComm '07.

[3]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[4]  Sonia Fahmy,et al.  BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems , 2017, RAID.

[5]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[6]  Cristina Nita-Rotaru,et al.  Leveraging State Information for Automated Attack Discovery in Transport Protocol Implementations , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[7]  Tao Guo,et al.  A Model-Based Behavioral Fuzzing Approach for Network Service , 2013, 2013 Third International Conference on Instrumentation, Measurement, Computer, Communication and Control.

[8]  Li Guo,et al.  Inferring Protocol State Machine from Network Traces: A Probabilistic Approach , 2011, ACNS.

[9]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[10]  Ramesh Govindan,et al.  Deriving State Machines from TinyOS Programs Using Symbolic Execution , 2008, 2008 International Conference on Information Processing in Sensor Networks (ipsn 2008).

[11]  Dawn Xiaodong Song,et al.  Inference and analysis of formal models of botnet command and control protocols , 2010, CCS '10.

[12]  Dawn Xiaodong Song,et al.  MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery , 2011, USENIX Security Symposium.

[13]  Andy Chou,et al.  A simple method for extracting models from protocol code , 2001, Proceedings 28th Annual International Symposium on Computer Architecture.

[14]  Yonggang Zhang,et al.  Text mining and software engineering: an integrated source code and document analysis approach , 2008, IET Softw..

[15]  Kevin C. Almeroth,et al.  SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr , 2006, ISC.

[16]  Song Wang,et al.  DASE: Document-Assisted Symbolic Execution for Improving Automated Software Testing , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[17]  Tao Xie,et al.  WHYPER: Towards Automating Risk Assessment of Mobile Applications , 2013, USENIX Security Symposium.