Pulsar: Stateful Black-Box Fuzzing of Proprietary Network Protocols

The security of network services and their protocols critically depends on minimizing their attack surface. A single flaw in an implementation can suffice to compromise a service and expose sensitive data to an attacker. The discovery of vulnerabilities in protocol implementations, however, is a challenging task: While for standard protocols this process can be conducted with regular techniques for auditing, the situation becomes difficult for proprietary protocols if neither the program code nor the specification of the protocol are easily accessible. As a result, vulnerabilities in closed-source implementations can often remain undiscovered for a longer period of time. In this paper, we present Pulsar, a method for stateful black-box fuzzing of proprietary network protocols. Our method combines concepts from fuzz testing with techniques for automatic protocol reverse engineering and simulation. It proceeds by observing the traffic of a proprietary protocol and inferring a generative model for message formats and protocol states that can not only analyze but also simulate communication. During fuzzing this simulation can effectively explore the protocol state space and thereby enables uncovering vulnerabilities deep inside the protocol implementation. We demonstrate the efficacy of Pulsar in two case studies, where it identifies known as well as unknown vulnerabilities.

[1]  David Brumley,et al.  Scheduling black-box mutational fuzzing , 2013, CCS.

[2]  Helen J. Wang,et al.  Tupni: automatic reverse engineering of input formats , 2008, CCS.

[3]  H. Rice Classes of recursively enumerable sets and their decision problems , 1953 .

[4]  Jürgen Großmann,et al.  Model-Based Security Testing , 2012, MBT.

[5]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[6]  Marc Dacier,et al.  Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots , 2006, RAID.

[7]  Guillaume Hiet,et al.  Towards automated protocol reverse engineering using semantic information , 2014, AsiaCCS.

[8]  David Lee,et al.  A model-based approach to security flaw detection of network protocol implementations , 2008, 2008 IEEE International Conference on Network Protocols.

[9]  James P. Crutchfield,et al.  Hidden Markov Models for Automated Protocol Learning , 2010, SecureComm.

[10]  Radu State,et al.  KiF: a stateful SIP fuzzer , 2007, IPTComm '07.

[11]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[12]  Randy H. Katz,et al.  Protocol-Independent Adaptive Replay of Application Dialog , 2006, NDSS.

[13]  Edward F. Moore,et al.  Gedanken-Experiments on Sequential Machines , 1956 .

[14]  Arnold Rosenbloom,et al.  AutoFuzz: Automated Network Protocol Fuzzing Framework , 2010 .

[15]  Konrad Rieck,et al.  Chucky: exposing missing checks in source code for vulnerability discovery , 2013, CCS.

[16]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[17]  H. Sebastian Seung,et al.  Learning the parts of objects by non-negative matrix factorization , 1999, Nature.

[18]  Robert Tibshirani,et al.  The Elements of Statistical Learning: Data Mining, Inference, and Prediction, 2nd Edition , 2001, Springer Series in Statistics.

[19]  Cacm Staff,et al.  BufferBloat , 2011, Communications of the ACM.

[20]  Nicole Krämer,et al.  ASAP: Automatic Semantics-Aware Analysis of Network Payloads , 2010, PSDML.

[21]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[22]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Christopher Krügel,et al.  Automatic Network Protocol Analysis , 2008, NDSS.

[24]  David Brumley,et al.  ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions , 2012, 2012 IEEE Symposium on Security and Privacy.

[25]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[26]  Marc Dacier,et al.  ScriptGen: an automated script generation tool for Honeyd , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[27]  David Brumley,et al.  Replayer: automatic protocol replay by binary analysis , 2006, CCS '06.

[28]  A. Church Edward F. Moore. Gedanken-experiments on sequential machines. Automata studies , edited by C. E. Shannon and J. McCarthy, Annals of Mathematics studies no. 34, litho-printed, Princeton University Press, Princeton1956, pp. 129–153. , 1958, Journal of Symbolic Logic.

[29]  Konrad Rieck,et al.  Automatic Inference of Search Patterns for Taint-Style Vulnerabilities , 2015, 2015 IEEE Symposium on Security and Privacy.

[30]  Dawn Xiaodong Song,et al.  Inference and analysis of formal models of botnet command and control protocols , 2010, CCS '10.

[31]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[32]  Nicole Krämer,et al.  Learning stateful models for network honeypots , 2012, AISec.

[33]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[34]  Patrice Godefroid,et al.  SAGE: Whitebox Fuzzing for Security Testing , 2012, ACM Queue.

[35]  Kevin C. Almeroth,et al.  SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr , 2006, ISC.