Coverage-guided fuzz testing ("fuzzing") has become mainstream and we have observed lots of progress in this research area recently. However, it is still challenging to efficiently test network services with existing coverage-guided fuzzing methods. In this paper, we introduce the design and implementation of Nyx-Net, a novel snapshot-based fuzzing approach that can successfully fuzz a wide range of targets spanning servers, clients, games, and even Firefox's Inter-Process Communication (IPC) interface. Compared to state-of-the-art methods, Nyx-Net improves test throughput by up to 300x and coverage found by up to 70%. Additionally, Nyx-Net is able to find crashes in two of ProFuzzBench's targets that no other fuzzer found previously. When using Nyx-Net to play the game Super Mario, Nyx-Net shows speedups of 10-30x compared to existing work. Under some circumstances, Nyx-Net is even able play "faster than light": solving the level takes less wall-clock time than playing the level perfectly even once. Nyx-Net is able to find previously unknown bugs in servers such as Lighttpd, clients such as MySQL client, and even Firefox's IPC mechanism - demonstrating the strength and versatility of the proposed approach. Lastly, our prototype implementation was awarded a $20.000 bug bounty for enabling fuzzing on previously unfuzzable code in Firefox and solving a long-standing problem at Mozilla.
翻译:覆盖引导的模糊测试( “ 模糊” ) 已经成为主流, 我们最近观察到了这个研究领域的许多进展。 但是, 以现有覆盖引导的模糊方法有效地测试网络服务仍然很困难 。 在本文中, 我们引入了 Nyx- Net 的设计和实施, 这是一种基于快照的模糊方法, 它可以成功地模糊包括服务器、 客户、 游戏, 甚至 Firefox 的跨程序通信界面在内的一系列目标 。 与最新技术方法相比, Nyx- Net 将测试量改进到300x, 覆盖率则达到70 % 。 此外, Nyx- Net 可以在 ProFuzz Bench 的两个目标中找到崩溃。 当使用 Nyx- Net 来玩游戏超级 Mario, Nyx- Net 显示比现有工作快10- 30x 的快。 在某些情况下, Nyx- Net 能够“ 更快地 ” : 解决水平比平时更慢的时间要短, 甚至比平时更慢, 使IMFlial- lix 服务器能够显示我之前的正常客户的代码。