Prognosis: Closed-box analysis of network protocol implementations

We present Prognosis, a framework offering automated closed-box learning and analysis of models of network protocol implementations. Prognosis can learn models that vary in abstraction level from simple deterministic automata to models containing data operations, such as register updates, and can be used to unlock a variety of analysis techniques - model checking temporal properties, computing differences between models of two implementations of the same protocol, or improving testing via model-based test generation. Prognosis is modular and easily adaptable to different protocols (e.g. TCP and QUIC) and their implementations. We use Prognosis to learn models of (parts of) three QUIC implementations - Quiche (Cloudflare), Google QUIC, and Facebook mvfst - and use these models to analyse the differences between the various implementations. Our analysis provides insights into different design choices and uncovers potential bugs. Concretely, we have found critical bugs in multiple QUIC implementations, which have been acknowledged by the developers

Analysis and Automated Discovery of Attacks in Transport Protocols

Transport protocols like TCP and QUIC are a crucial component of today’s Internet, underlying services as diverse as email, file transfer, web browsing, video conferencing, and instant messaging as well as infrastructure protocols like BGP and secure network protocols like TLS. Transport protocols provide a variety of important guarantees like reliability, in-order delivery, and congestion control to applications. As a result, the design and implementation of transport protocols is complex, with many components, special cases, interacting features, and efficiency considerations, leading to a high probability of bugs. Unfortunately, today the testing of transport protocols is mainly a manual, ad-hoc process. This lack of systematic testing has resulted in a steady stream of attacks compromising the availability, performance, or security of transport protocols, as seen in the literature. Given the importance of these protocols, we believe that there is a need for the development of automated systems to identify complex attacks in implementations of these protocols and for a better understanding of the types of attacks that will be faced by next generation transport protocols. In this dissertation, we focus on improving this situation, and the security of transport protocols, in three ways. First, we develop a system to automatically search for attacks that target the availability or performance of protocol connections on real transport protocol implementations. Second, we implement a model-based system to search for attacks against implementations of TCP congestion control. Finally, we examine QUIC, Google’s next generation encrypted transport protocol, and identify attacks on availability and performance

Fuzz Driver Generation

Poor software quality has led to tremendous costs and safety disasters, thus, software defects make the news with alarming regularity. Fuzzing is a bug detection technique. In particular, it is a software testing method where a stream of random input is sent to an application to stress the application and cause unexpected behaviour, resource leaks or crashes. When it comes to fuzzing software libraries, a fuzz driver plays an important role because it is the binder between the fuzzer and the target program. Traditionally fuzzing was used in closed-source platforms and also it is used to find vulnerabilities in kernels. However, recent developments show that fuzzing is now applied to open-source libraries. This research study analyses the role of a fuzz driver in the domain of fuzzing to recognise its importance, applications, techniques, challenges and future directions. This study intends to explore the state-of-the-art fuzz driver development strategies and identify trends in research and areas of potential improvements. We identified that fuzz driver generation is mainly seen as a minor activity in fuzzing research. It was evident that the development of a fuzz driver is laborious and time-consuming in nature but multiple innovative methodologies have been adopted in recent years to ease this task There are three main techniques to develop a fuzz driver: software developers manually writing a fuzz driver, semi-automatic generation of a fuzz driver through human-in-the-loop approaches and fully automatic generation of a fuzz driver. This research study evaluates these techniques through case studies and empirical analysis to recognise the best state-of-the-art fuzz driver generation strategy available for researchers and software testers. Our results show that manually developed fuzz drivers still outperform other methodologies in terms of performance but our results show how other methodologies could surpass their performance levels. Furthermore, this study analyses the effect of varying complexity levels of target functions on the performance of the fuzzing campaigns initiated through multiple fuzz driver generation techniques.Thesis (MPhil) -- University of Adelaide, School of Computer Science , 202