| BBFuzz:一种基于输入结构感知的协议模糊测试方案 |
| |
| 引用本文: | 翁嵩涠,贾鹏,周安民.BBFuzz:一种基于输入结构感知的协议模糊测试方案[J].四川大学学报(自然科学版),2024,61(1):013002. |
| |
| 作者姓名: | 翁嵩涠 贾鹏 周安民 |
| |
| 作者单位: | 四川大学 网络空间安全学院,四川大学 网络空间安全学院,四川大学 网络空间安全学院 |
| |
| 基金项目: | 国家重点研发计划项目(2021YFB3101803) |
| |
| 摘 要: | 几乎所有需要通信的系统都离不开协议的设计,若协议栈存在漏洞,攻击者可以通过 Zero-Click 的方式达成拒绝服务攻击、信息窃取甚至是远程代码执行.协议消息具有一定的结构、语义、时序等要素,通用型模糊测试工具很难有效地对服务端进行模糊测试.近年来,有不少灰盒协议模糊测试的研究工作,其中比较具有代表性的工作是AFLNET,然而这些研究工作对服务端状态机的覆盖依赖于初始种子集的覆盖面.本文首先分析了AFLNET无法完善处理二进制格式协议的缺陷,并提出了BBFuzz,一款基于人工编写的数据模型进行测试用例生成的协议模糊测试工具.BBFuzz能够在仅有一个初始输入的情况下,快速为种子队列提供众多感兴趣的种子文件,并且这些种子文件能够覆盖到较为全面的服务端状态.同时,BBFuzz能够很好地支持两种不同类型的协议的模糊测试,即人类可读的ASCII格式和二进制格式的协议.本文实现了BBFuzz对RTMP协议的支持,并在两款知名的流媒体软件的RTMP模块上评估BBFuzz.评估结果表明,BBFuzz在map density和paths上的表现都优于AFLNET.对于RTMP模块,本文在ZLMediaKit和media-server上分别挖掘到一个真实的漏洞,并且这两个漏洞都已经被分配了HIGH级别的CVE编号.
|
| 关 键 词: | 模糊测试 协议模糊测试 软件测试 协议安全 |
| 收稿时间: | 2023/1/5 0:00:00 |
| 修稿时间: | 2023/3/21 0:00:00 |
BBFuzz: A protocol fuzzing tool combined with input structure-aware |
| |
| WENG Song-Wei,JIA Peng and ZHOU An-Min.BBFuzz: A protocol fuzzing tool combined with input structure-aware[J].Journal of Sichuan University (Natural Science Edition),2024,61(1):013002. |
| |
| Authors: | WENG Song-Wei JIA Peng and ZHOU An-Min |
| |
| Institution: | College of Cyber Science and Engineering,Sichuan University,College of Cyber Science and Engineering,Sichuan University,College of Cyber Science and Engineering,Sichuan University |
| |
| Abstract: | Almost all of the systems which need communication are inseparable from protocol design. If the protocol stack is vulnerable, attackers can achieve denial of service attack, data theft and even remote code execution via Zero-Click. Protocol messages often have certain elements such as structure, semantics, and timing, making it challenging for general fuzzers to effectively perform fuzzing on the server. In recent years, there have been many researches on grey box protocol fuzzing, among which AFLNET is a representative one. However, the coverage of these researches on the server state machine depends on the coverage of the initial seed corpus. In this paper, we firstly analyze the defects of AFLNET in handling binary format protocols, and propose BBFuzz, a protocol fuzzer for test case generation based on manual data models. BBFuzz can quickly provide many interesting seed files for the seed queue, even with only one initial input, and these seed files can cover a more comprehensive server state. Meanwhile, BBFuzz can well support fuzzing of two different types of protocols, namely human readable ASCII format and binary format protocols. The paper implemented BBFuzz''s support for RTMP protocol, and evaluated BBFuzz on the RTMP module of two well-known streaming media software. Our evaluation results show that BBFuzz outperforms AFLNET on both map density and paths. For RTMP module, we dug two real vulnerabilities on ZLMediaKit and media-server respectively, and these two vulnerabilities have been assigned CVE number which is classified as HIGH. |
| |
| Keywords: | Fuzzing Protocol fuzzing Software testing Protocol security |
|
| 点击此处可从《四川大学学报(自然科学版)》浏览原始摘要信息 |
| 点击此处可从《四川大学学报(自然科学版)》下载免费的PDF全文 |
|
