Dominik Maier, Otto Bittner, Marc Munier, Julian Beier (TU Berlin)

Common network protocol fuzzers use complex grammars for fuzzing clients and servers with a (semi-)correct input for the server. In contrast, feedback-guided fuzzers learn their way through the target and discover valid input on their own. However, their random mutations frequently destroy all stateful progress when they clobber necessary early communication packets. Deeper into the communication, it gets increasingly unlikely for a coverage-guided fuzzer like AFL++ to explore later stages in client-server communications. Even combinations of both approaches require considerable manual effort for seed and grammar generation, even though sound input sources for servers already exist: their respective clients. In this paper, we present FitM, the Fuzzer in the Middle, a coverage-guided fuzzer for complex client-server interactions. To overcome issues of the State-of-the-Art, FitM emulates the network layer between client and host, fuzzing both server and client at the same time. Once FitM reaches a new step in a protocol, it uses CRIU’s userspace snapshots to checkpoint client and server to continue fuzzing this step in the protocol directly. The combination of domain knowledge gathered from the proper peer, with coverage guided snapshot fuzzing, allows FitM to explore the target extensively. At the same time, FitM reruns earlier snapshots in a probabilistic manner, effectively fuzzing the state space. We show that FitM can reach greater depth than previous tools by comparing found basic blocks, the number of client-server interactions, and execution speed. Based on AFL++’s qemuafl, FitM is an effective and low-effort binary only fuzzer for network protocols, that uncovered overflows in the GNU Inetutils FTP client with minimum effort.

View More Papers

Explainable AI in Cybersecurity Operations: Lessons Learned from xAI...

Megan Nyre-Yu (Sandia National Laboratories), Elizabeth S. Morris (Sandia National Laboratories), Blake Moss (Sandia National Laboratories), Charles Smutz (Sandia National Laboratories), Michael R. Smith (Sandia National Laboratories)

Read More

An In-depth Analysis of Duplicated Linux Kernel Bug Reports

Dongliang Mu (Huazhong University of Science and Technology), Yuhang Wu (Pennsylvania State University), Yueqi Chen (Pennsylvania State University), Zhenpeng Lin (Pennsylvania State University), Chensheng Yu (George Washington University), Xinyu Xing (Pennsylvania State University), Gang Wang (University of Illinois at Urbana-Champaign)

Read More

Demo #7: A Simulator for Cooperative and Automated Driving...

Mohammed Lamine Bouchouia (Telecom Paris - Institut Polytechnique de Paris), Jean-Philippe Monteuuis (Qualcomm Technologies Inc), Houda Labiod (Telecom Paris - Institut Polytechnique de Paris), Ons Jelassi (Telecom Paris - Institut Polytechnique de Paris), Wafa Ben Jaballah (Thales) and Jonathan Petit (Qualcomm Technologies Inc)

Read More

Generation of CAN-based Wheel Lockup Attacks on the Dynamics...

Alireza Mohammadi (University of Michigan-Dearborn), Hafiz Malik (University of Michigan-Dearborn) and Masoud Abbaszadeh (GE Global Research)

Read More