3 research outputs found
Stateful Greybox Fuzzing
Many bugs in protocol implementations may only manifest when the system is in
a particular "state". For instance, to trigger one of the bugs we found in an
RTSP implementation, the fuzzer must first send two different types of messages
to usher the protocol implementation from the INIT via the READY to the PLAY
state where the bug is exposed. Without knowledge of the protocol, it is
inherently difficult for a fuzzer to discover such stateful bugs. A key
challenge in fuzzing stateful systems, therefore, is to cover the state space
without an explicit specification of the protocol.
So, how can we help our fuzzer navigate an unknown state space? In our
analysis of the Top-50 most widely used open-source protocol implementations,
we found that every implementation uses state variables that are assigned named
constants (such as INIT, READY) to represent the current state. In this work,
we propose to automatically identify such state variables and track the
sequence of values assigned to them during fuzzing to produce a "map" of the
explored state space. Our stateful greybox fuzzing approach uses this map to
focus on the most promising regions of the code and state space.
Our experiments confirm that our stateful fuzzer discovers stateful bugs
twice as fast as the baseline greybox fuzzer that we extended. The state
sequence for an input is determined by the sequence of values assigned to the
state variables during its execution. Starting from the initial state, our
fuzzer exercises one order of magnitude more state sequences and covers the
same code two times faster than the baseline fuzzer. Several zero-day bugs in
prominent protocol implementations were found by our fuzzer, and 8 CVEs have
been assigned