SnapFuzz: high-throughput fuzzing of network applications

In recent years, fuzz testing has benefited from increased computational power and important algorithmic advances, leading to systems that have discovered many critical bugs and vulnerabilities in production software. Despite these successes, not all applications can be fuzzed efficiently. In particular, stateful applications such as network protocol implementations are constrained by a low fuzzing throughput and the need to develop complex fuzzing harnesses that involve custom time delays and clean-up scripts. In this paper, we present SnapFuzz, a novel fuzzing framework for network applications. SnapFuzz offers a robust architecture that transforms slow asynchronous network communication into fast synchronous communication, snapshots the target at the latest point at which it is safe to do so, speeds up file operations by redirecting them to a custom in-memory filesystem, and removes the need for many fragile modifications, such as configuring time delays or writing clean-up scripts. Using SnapFuzz, we fuzzed five popular networking applications: LightFTP, TinyDTLS, Dnsmasq, LIVE555 and Dcmqrscp. We report impressive performance speedups of 62.8 x, 41.2 x, 30.6 x, 24.6 x, and 8.4 x, respectively, with significantly simpler fuzzing harnesses in all cases. Due to its advantages, SnapFuzz has also found 12 extra crashes compared to AFLNet in these applications.

[1]  Marcel Böhme,et al.  Stateful Greybox Fuzzing , 2022, USENIX Security Symposium.

[2]  Cristian Cadar,et al.  SaBRe: load-time selective binary rewriting , 2022, Int. J. Softw. Tools Technol. Transf..

[3]  Thorsten Holz,et al.  Nyx-net: network fuzzing with incremental snapshots , 2021, EuroSys.

[4]  Marcel Böhme,et al.  AFLNET: A Greybox Fuzzer for Network Protocols , 2020, 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST).

[5]  Shanqing Guo,et al.  MultiFuzz: A Coverage-Based Multiparty-Protocol Fuzzer for IoT Publish/Subscribe Protocols , 2020, Sensors.

[6]  Abhik Roychoudhury,et al.  Fuzzing: Challenges and Reflections , 2020, IEEE Software.

[7]  Dinghao Wu,et al.  SQUIRREL: Testing Database Management Systems with Language Validity and Coverage Feedback , 2020, CCS.

[8]  Alastair F. Donaldson,et al.  Just fuzz it: solving floating-point constraints using coverage-guided fuzzing , 2019, ESEC/SIGSOFT FSE.

[9]  Peng Li,et al.  SAVIOR: Towards Bug-Driven Hybrid Testing , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[10]  Ahmad-Reza Sadeghi,et al.  NAUTILUS: Fishing for Deep Bugs with Grammars , 2019, NDSS.

[11]  Yang Liu,et al.  Superion: Grammar-Aware Greybox Fuzzing , 2018, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[12]  Rong Fan,et al.  Machine Learning for Black-Box Fuzzing of Network Protocols , 2017, ICICS.

[13]  Alexander Pretschner,et al.  Improving function coverage with munch: a hybrid fuzzing and directed symbolic execution approach , 2017, SAC.

[14]  Wen Xu,et al.  Designing New Operating Primitives to Improve Fuzzing Performance , 2017, CCS.

[15]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[16]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[17]  Konrad Rieck,et al.  Pulsar: Stateful Black-Box Fuzzing of Proprietary Network Protocols , 2015, SecureComm.

[18]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[19]  Peter R. Pietzuch,et al.  SymbexNet: Testing Network Protocol Implementations with Symbolic Execution and Rule-Based Specifications , 2014, IEEE Transactions on Software Engineering.

[20]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[21]  Radu Banabic,et al.  An Extensible Technique for High-Precision Testing of Recovery Code , 2010, USENIX Annual Technical Conference.

[22]  Klaus Wehrle,et al.  KleeNet: discovering insidious interaction bugs in wireless sensor networks before deployment , 2010, IPSN '10.

[23]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[24]  Helen J. Wang,et al.  Tupni: automatic reverse engineering of input formats , 2008, CCS.

[25]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[26]  Kevin C. Almeroth,et al.  SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr , 2006, ISC.

[27]  Z. Berkay Celik,et al.  PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles , 2021, NDSS.

[28]  Xiaofeng Wang,et al.  SGPFuzzer: A State-Driven Smart Graybox Protocol Fuzzer for Network Protocol Implementations , 2020, IEEE Access.

[29]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.