Network function virtualization provides programmable in-network middlewares by leveraging virtualization tech-nologies and commodity hardware and has gained popularity among all mainstream network device manufacturer...Network function virtualization provides programmable in-network middlewares by leveraging virtualization tech-nologies and commodity hardware and has gained popularity among all mainstream network device manufacturers.Yet it is challenging to apply coverage-guided fuzzing,one of the state-of-the-art vulnerability discovery approaches,to those virtualized network devices,due to inevitable integrity protection adopted by those devices.In this paper,we propose a coverage-guided fuzzing framework NDFuzz for virtualized network devices with a novel integrity protec-tion bypassing method,which is able to distinguish processes of virtualized network devices from hypervisors with a carefully designed non-intrusive page global directory inference technique.We implement NDFuzz atop of two black-box fuzzers and evaluate NDFuzz with three representative network protocols,SNMP,DHCP and NTP,on nine popular virtualized network devices.NDFuzz obtains an average 36%coverage improvement in comparison with its black-box counterparts.NDFuzz discovers 2 O-Day vulnerabilities and 11-Day vulnerability with coverage guidance while the black-box fuzzer can find only one of them.All discovered vulnerabilities are confirmed by corresponding vendors.展开更多
Mutation-based greybox fuzzing has been one of the most prevalent techniques for security vulnerability discovery and a great deal of research work has been proposed to improve both its efficiency and effectiveness.Mu...Mutation-based greybox fuzzing has been one of the most prevalent techniques for security vulnerability discovery and a great deal of research work has been proposed to improve both its efficiency and effectiveness.Mutation-based greybox fuzzing generates input cases by mutating the input seed,i.e.,applying a sequence of mutation operators to randomly selected mutation positions of the seed.However,existing fruitful research work focuses on scheduling mutation operators,leaving the schedule of mutation positions as an overlooked aspect of fuzzing efficiency.This paper proposes a novel greybox fuzzing method,PosFuzz,that statistically schedules mutation positions based on their historical performance.PosFuzz makes use of a concept of effective position distribution to represent the semantics of the input and to guide the mutations.PosFuzz first utilizes Good-Turing frequency estimation to calculate an effective position distribution for each mutation operator.It then leverages two sampling methods in different mutating stages to select the positions from the distribution.We have implemented PosFuzz on top of AFL,AFLFast and MOPT,called Pos-AFL,-AFLFast and-MOPT respectively,and evaluated them on the UNIFUZZ benchmark(20 widely used open source programs)and LAVA-M dataset.The result shows that,under the same testing time budget,the Pos-AFL,-AFLFast and-MOPT outperform their counterparts in code coverage and vulnerability discovery ability.Compared with AFL,AFLFast,and MOPT,PosFuzz gets 21%more edge coverage and finds 133%more paths on average.It also triggers 275%more unique bugs on average.展开更多
基金This work is supported in part by Chinese National Natural Science Foundation(61802394,U1836209,62032010)Strategic Priority Research Program of theCAS(XDC02040100)。
文摘Network function virtualization provides programmable in-network middlewares by leveraging virtualization tech-nologies and commodity hardware and has gained popularity among all mainstream network device manufacturers.Yet it is challenging to apply coverage-guided fuzzing,one of the state-of-the-art vulnerability discovery approaches,to those virtualized network devices,due to inevitable integrity protection adopted by those devices.In this paper,we propose a coverage-guided fuzzing framework NDFuzz for virtualized network devices with a novel integrity protec-tion bypassing method,which is able to distinguish processes of virtualized network devices from hypervisors with a carefully designed non-intrusive page global directory inference technique.We implement NDFuzz atop of two black-box fuzzers and evaluate NDFuzz with three representative network protocols,SNMP,DHCP and NTP,on nine popular virtualized network devices.NDFuzz obtains an average 36%coverage improvement in comparison with its black-box counterparts.NDFuzz discovers 2 O-Day vulnerabilities and 11-Day vulnerability with coverage guidance while the black-box fuzzer can find only one of them.All discovered vulnerabilities are confirmed by corresponding vendors.
基金This research was supported by National Key R&D Program of China(2022YFB3103900)National Natural Science Foundation of China(62032010,62202462)Strategic Priority Research Program of the CAS(XDC02030200).
文摘Mutation-based greybox fuzzing has been one of the most prevalent techniques for security vulnerability discovery and a great deal of research work has been proposed to improve both its efficiency and effectiveness.Mutation-based greybox fuzzing generates input cases by mutating the input seed,i.e.,applying a sequence of mutation operators to randomly selected mutation positions of the seed.However,existing fruitful research work focuses on scheduling mutation operators,leaving the schedule of mutation positions as an overlooked aspect of fuzzing efficiency.This paper proposes a novel greybox fuzzing method,PosFuzz,that statistically schedules mutation positions based on their historical performance.PosFuzz makes use of a concept of effective position distribution to represent the semantics of the input and to guide the mutations.PosFuzz first utilizes Good-Turing frequency estimation to calculate an effective position distribution for each mutation operator.It then leverages two sampling methods in different mutating stages to select the positions from the distribution.We have implemented PosFuzz on top of AFL,AFLFast and MOPT,called Pos-AFL,-AFLFast and-MOPT respectively,and evaluated them on the UNIFUZZ benchmark(20 widely used open source programs)and LAVA-M dataset.The result shows that,under the same testing time budget,the Pos-AFL,-AFLFast and-MOPT outperform their counterparts in code coverage and vulnerability discovery ability.Compared with AFL,AFLFast,and MOPT,PosFuzz gets 21%more edge coverage and finds 133%more paths on average.It also triggers 275%more unique bugs on average.
