Dominik Maier, Otto Bittner, Marc Munier, Julian Beier (TU Berlin)

Common network protocol fuzzers use complex grammars for fuzzing clients and servers with a (semi-)correct input for the server. In contrast, feedback-guided fuzzers learn their way through the target and discover valid input on their own. However, their random mutations frequently destroy all stateful progress when they clobber necessary early communication packets. Deeper into the communication, it gets increasingly unlikely for a coverage-guided fuzzer like AFL++ to explore later stages in client-server communications. Even combinations of both approaches require considerable manual effort for seed and grammar generation, even though sound input sources for servers already exist: their respective clients. In this paper, we present FitM, the Fuzzer in the Middle, a coverage-guided fuzzer for complex client-server interactions. To overcome issues of the State-of-the-Art, FitM emulates the network layer between client and host, fuzzing both server and client at the same time. Once FitM reaches a new step in a protocol, it uses CRIU’s userspace snapshots to checkpoint client and server to continue fuzzing this step in the protocol directly. The combination of domain knowledge gathered from the proper peer, with coverage guided snapshot fuzzing, allows FitM to explore the target extensively. At the same time, FitM reruns earlier snapshots in a probabilistic manner, effectively fuzzing the state space. We show that FitM can reach greater depth than previous tools by comparing found basic blocks, the number of client-server interactions, and execution speed. Based on AFL++’s qemuafl, FitM is an effective and low-effort binary only fuzzer for network protocols, that uncovered overflows in the GNU Inetutils FTP client with minimum effort.

View More Papers

What Storage? An Empirical Analysis of Web Storage in...

Zubair Ahmad (Università Ca’ Foscari Venezia), Samuele Casarin (Università Ca’ Foscari Venezia), and Stefano Calzavara (Università Ca’ Foscari Venezia)

Read More

Transparency Dictionaries with Succinct Proofs of Correct Operation

Ioanna Tzialla (New York University), Abhiram Kothapalli (Carnegie Mellon University), Bryan Parno (Carnegie Mellon University), Srinath Setty (Microsoft Research)

Read More

ROV-MI: Large-Scale, Accurate and Efficient Measurement of ROV Deployment

Wenqi Chen (Tsinghua University), Zhiliang Wang (Tsinghua University), Dongqi Han (Tsinghua University), Chenxin Duan (Tsinghua University), Xia Yin (Tsinghua University), Jiahai Yang (Tsinghua University), Xingang Shi (Tsinghua University)

Read More

Demo: A Simulator for Cooperative and Automated Driving Security

Mohammed Lamine Bouchouia (Telecom Paris - Institut Polytechnique de Paris), Jean-Philippe Monteuuis (Qualcomm), Houda Labiod (Telecom Paris - Institut Polytechnique de Paris), Ons Jelassi, Wafa Ben Jaballah (Thales) and Jonathan Petit (Telecom Paris - Institut Polytechnique de Paris)

Read More