Fuzzing network servers is a technical challenge, since the behavior of the target server depends on its state over a sequence of multiple messages. Existing solutions are costly and difficult to use, as they rely on manually-customized artifacts such as protocol models, protocol parsers, and learning frameworks. The aim of this work is to develop a greybox fuzzer for network servers that only relies on lightweight analysis of the target program, with no manual customization, in a similar way to what the AFL fuzzer achieved for stateless programs. The proposed fuzzer instruments the target server at compile-time, to insert probes on memory allocations and network I/O operations. At run-time, it infers the current protocol state of the target by analyzing snapshots of long-lived memory areas, and incrementally builds a protocol state machine for guiding fuzzing. The experimental results show that the fuzzer can be applied with no manual customization on a large set of network servers for popular protocols, and that it can achieve comparable, or even better code coverage than customized fuzzing. Moreover, our qualitative analysis shows that states inferred from memory better reflect the server behavior than only using response codes from messages.
翻译:模糊网络服务器是一个技术挑战, 因为目标服务器的行为取决于它对于多个信息序列的状态。 现有的解决方案成本高昂且难以使用, 因为它们依赖于手动定制的工艺品, 如协议模型、 协议解析器和学习框架。 这项工作的目的是为网络服务器开发一个灰盒模糊器, 它只依赖于对目标程序的轻量分析, 没有手工定制, 与无源程序AFL fuzzer 所实现的相似。 拟议的模糊器在编译时对目标服务器进行检测, 以插入关于记忆分配和网络 I/ O 操作的探测器。 在运行时, 它通过分析长寿命内存区域的快照来推断当前目标的协议状态, 并逐步建立用于引导模糊的协议状态机器。 实验结果表明, 模糊器可以被应用, 与大型网络服务器对大众协议没有手工定制的定制, 并且它可以实现可比的, 甚至比定制的模糊操作更好的代码覆盖范围。 此外, 我们的质量分析显示, 从记忆中推断的状态比仅使用响应代码更好地反映服务器的行为。