StateAFL: Greybox Fuzzing for Stateful Network Servers

12 Oct 2021  ·  Roberto Natella ·

Fuzzing network servers is a technical challenge, since the behavior of the target server depends on its state over a sequence of multiple messages. Existing solutions are costly and difficult to use, as they rely on manually-customized artifacts such as protocol models, protocol parsers, and learning frameworks... The aim of this work is to develop a greybox fuzzer for network servers that only relies on lightweight analysis of the target program, with no manual customization, in a similar way to what the AFL fuzzer achieved for stateless programs. The proposed fuzzer instruments the target server at compile-time, to insert probes on memory allocations and network I/O operations. At run-time, it infers the current protocol state of the target by analyzing snapshots of long-lived memory areas, and incrementally builds a protocol state machine for guiding fuzzing. The experimental results show that the fuzzer can be applied with no manual customization on a large set of network servers for popular protocols, and that it can achieve comparable, or even better code coverage than customized fuzzing. Moreover, our qualitative analysis shows that states inferred from memory better reflect the server behavior than only using response codes from messages. read more

PDF Abstract


Cryptography and Security Operating Systems Software Engineering


  Add Datasets introduced or used in this paper