Dominik Maier, Otto Bittner, Marc Munier, Julian Beier (TU Berlin)

Common network protocol fuzzers use complex grammars for fuzzing clients and servers with a (semi-)correct input for the server. In contrast, feedback-guided fuzzers learn their way through the target and discover valid input on their own. However, their random mutations frequently destroy all stateful progress when they clobber necessary early communication packets. Deeper into the communication, it gets increasingly unlikely for a coverage-guided fuzzer like AFL++ to explore later stages in client-server communications. Even combinations of both approaches require considerable manual effort for seed and grammar generation, even though sound input sources for servers already exist: their respective clients. In this paper, we present FitM, the Fuzzer in the Middle, a coverage-guided fuzzer for complex client-server interactions. To overcome issues of the State-of-the-Art, FitM emulates the network layer between client and host, fuzzing both server and client at the same time. Once FitM reaches a new step in a protocol, it uses CRIU’s userspace snapshots to checkpoint client and server to continue fuzzing this step in the protocol directly. The combination of domain knowledge gathered from the proper peer, with coverage guided snapshot fuzzing, allows FitM to explore the target extensively. At the same time, FitM reruns earlier snapshots in a probabilistic manner, effectively fuzzing the state space. We show that FitM can reach greater depth than previous tools by comparing found basic blocks, the number of client-server interactions, and execution speed. Based on AFL++’s qemuafl, FitM is an effective and low-effort binary only fuzzer for network protocols, that uncovered overflows in the GNU Inetutils FTP client with minimum effort.

View More Papers

Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial...

Wei Jia (School of Cyber Science and Engineering, Huazhong University of Science and Technology), Zhaojun Lu (School of Cyber Science...

Read More

Hiding My Real Self! Protecting Intellectual Property in Additive...

Sizhuang Liang (Georgia Institute of Technology), Saman Zonouz (Rutgers University), Raheem Beyah (Georgia Institute of Technology)

Read More

Demo #8: Identifying Drones Based on Visual Tokens

Ben Nassi (Ben-Gurion University of the Negev), Elad Feldman (Ben-Gurion University of the Negev), Aviel Levy (Ben-Gurion University of the...

Read More

WIP: On Robustness of Lane Detection Models to Physical-World...

Takami Sato (UC Irvine) and Qi Alfred Chen (UC Irvine)

Read More