基于消息序列归属优化的网络协议灰盒模糊测试方法

doi:10.16180/j.cnki.issn1007-7820.2024.11.006

摘要/Abstract

摘要：

基于覆盖引导的网络协议灰盒模糊器AFLNET技术在网络安全测试领域较受关注,且已有较多优秀研究成果。在对AFLNET及其衍生工具进行分析后,文中发现其在对消息序列归属、消息序列评估以及消息序列变异点位置选取3个方面存在不足,并提出了基于消息序列归属优化的网络协议灰盒模糊方法。该方法定义了偏好度概念用于衡量消息序列能够给每个状态带来模糊收益的大小,同时提出了新的消息序列归属算法并结合偏好度对有趣消息序列进行重新归属。利用多维度的反馈信息构造出一个评估函数,用于更加准确地计算出每个消息序列真实的潜力。还提出了一种新的变异点分析算法,用于帮助模糊器过滤掉已变异位置,转而对其他更有趣的变异位置进行变异。实验结果表明,相比于主流方法,基于所提方法实现的QFuzzer在路径覆盖数方面提升了6.94%~11.04%,在漏洞发现数方面提升了7.24%~30.70%。

关键词: 网络协议, 安全, 灰盒, 模糊测试, 消息序列, 归属, 优化, 漏洞挖掘

Abstract:

Network protocol grey box fuzzing AFLNET technology based on overlay guidance has attracted more attention in the field of network security testing, and there are many excellent research results. After the analysis of AFLNET and its derivatives, it is found that AFLNET has shortcomings in three aspects: message sequence attribution, message sequence evaluation and the selection of message sequence variation points, and a network protocol grey box fuzzy method based on message sequence attribution optimization is proposed. This method defines the concept of preference degree to measure the fuzzy benefit that message sequence can bring to each state, and proposes a new message sequence assignment algorithm combined with preference degree to re-assign interesting message sequences. Then, an evaluation function is constructed using the feedback information of multiple dimensions, which is used to more accurately calculate the true potential of each message sequence. In addition, a new mutation point analysis algorithm is proposed to help the fuzzer filter out the already mutated positions and mutate other more interesting mutated positions instead. The experimental results show that compared with the mainstream method, the QFuzzer implemented based on the proposed method increases the number of path coverage by 6.94%~11.04%, and the number of vulnerabilities found increases by 7.24%~30.70%.

Key words: network protocol, security, grey box, fuzz testing, message sequence, attribution, optimization, vulnerability mining

中图分类号:

TP393

邱磊磊, 徐向华, 王然. 基于消息序列归属优化的网络协议灰盒模糊测试方法[J]. 电子科技, 2024, 37(11): 39-46.

QIU Leilei, XU Xianghua, WANG Ran. A Grey-Box Fuzzing Method for Network Protocols Based on Message Sequence Attribution Optimization[J]. Electronic Science and Technology, 2024, 37(11): 39-46.

图/表 10

图1

表1

图2

图3

表2

图4

图5

图6

参考文献 18

[1]	Munea T L, Lim H, Shon T. Network protocol fuzz testing for information systems and applications: A survey and taxonomy[J]. Multimedia Tools and Applications, 2016, 75(22):14745-14757.
[2]	Hu Z, Pan Z. A systematic review of network protocol fuzzing techniques[C]. Chongqing:IEEE the Fourth Advanced Information Management,Communicates,Electronic and Automation Control Conference, 2021:1000-10105.
[3]	Eddington M. Peach fuzzer platform[EB/OL].(2017-10-12) [2023-04-15]https://wiki.mozilla.org/Security/Fuzzing/Peach.
[4]	Amini P. Sulley:A pure-python fully automated and unattended fuzzing framework[EB/OL].(2019-03-16) [2023-04-15]https://github.com/OpenRCE/sulley.
[5]	Pereyda J. Boofuzz:A fork and successor of the sulley fuzzing framework[EB/OL].(2022-06-12) [2023-04-15]https://github.com/jtpereyda/boofuzz.
[6]	Banks G, Cova M, Felmetsger V, et al. SNOOZE: Toward a stateful network protocol fuzzer[C]. Samos Island:Proceedings of the Ninth International Conference on Information Security, 2006:343-358.
[7]	Pham V T, Bohme M, Roychoudhury A. AFLNet: A greybox fuzzer for network protocols[C]. Porto:IEEE the Thirteenth International Conference on Software Testing, Validation and Verification, 2020: 460-465.
[8]	Zalewski M. American fuzzy lop fuzzer[EB/OL].(2014-06-05) [2023-04-15]http://lcamtuf.coredump.cx/afl/.
[9]	Li J, Li S, Sun G, et al. SNPSFuzzer:A fast greybox fuzzer for stateful network protocols using snapshots[J]. IEEE Transactions on Information Forensics and Security, 2022, 17(1):2673-2687.
[10]	Liu D, Pham V T, Ernst G, et al. State selection algorithms and their impact on the performance of stateful network protocol fuzzing[C]. Honolulu:IEEE International Conference on Software Analysis,Evolution and Reengineering, 2022:720-730.
[11]	Qin S, Hu F, Zhao B, et al. Registered report: NSFuzz:Towards efficient and state-aware network service fuzzing[J]. ACM Transactions on Software Engineering and Methodology, 2022, 12(2):150-158.
[12]	Natella R. StateAFL:Greybox fuzzing for stateful network servers[J]. Empirical Software Engineering, 2022, 27(7):191-199.
[13]	Pham V T. AFLNWE[EB/OL].(2020-10-12) [2023-04-15]https://github.com/thuanpv/aflnwe.
[14]	Rescorla E. Datagram transport layer security version 1.2[EB/OL].(2013-08-16) [2023-04-05]https://datatracker.ietf.org/doc/html/rfc6347.
[15]	Kelley S. Dnsmasq[EB/OL].(2011-03-22) [2023-0415]https://thekelleys.org.uk/dnsmasq/doc.html.
[16]	Schulzrinne H, Rao A, Lanphier R, et al. Real-time streaming protocol version 2.0[EB/OL].(2016-09-23) [2023-04-15]https://tools.ietf.org/html/rfc7826.
[17]	Git Hub. Tinydtls:A version of tinydtls that is refacto-red to be more easy to use standalone[EB/OL].(2020-06-14) [2023-04-15].
[18]	Finlayson R. Live555 media server[EB/OL].(2019-08-15) [2023-04-15]http://www.live555.com/mediaServer/.

待测协议实体	QFuzzer	StateAFL	AFLNET	AFLNWE
Tinydtls	55.0	52.7	54	25.7
Dnsmasq	45.3	44.7	28.7	15.7
Live555	194.3	177.3	142.7	87.0
合计	294.6	274.7	225.4	128.4

待测协议实体	QFuzzer	StateAFL	AFLNET	AFLNWE
Tinydtls	422.7	388.0	372.3	151.7
Dnsmasq	456.0	418.7	409.3	325.0
Live555	1 278.3	1 210.3	1 161.0	1 090.3
总计	2 157.0	2017.0	1 942.6	1 567.0