SNPSFuzzer: A Fast Greybox Fuzzer for Stateful Network Protocols using Snapshots

TL;DR

SNPSFuzzer is a novel greybox fuzzing tool that uses snapshots to efficiently explore stateful network protocols, significantly increasing speed and coverage over existing methods, and uncovering new vulnerabilities.

Contribution

The paper introduces SNPSFuzzer, a fast greybox fuzzer utilizing snapshots for stateful network protocols, enhancing speed and depth of fuzzing compared to prior approaches.

Findings

Increases fuzzing speed by up to 168.9%.

Improves path coverage by up to 27.5%.

Uncovered a new vulnerability in Tinydtls.

Abstract

Greybox fuzzing has been widely used in stateless programs and has achieved great success. However, most state-of-the-art greybox fuzzers generally have the problems of slow speed and shallow state depth coverage in the process of fuzzing stateful network protocol programs which are able to remember and store details of the interactions. The existing greybox fuzzers for network protocol programs send a series of well-defined prefix sequences of input messages first and then send mutated messages to test the target state of a stateful network protocol. The process mentioned above causes a high time cost. In this paper, we propose SNPSFuzzer, a fast greybox fuzzer for stateful network protocol using snapshots. SNPSFuzzer dumps the context information when the network protocol program is under a specific state and restores it when the state needs to be fuzzed. Furthermore, we design a message chain analysis algorithm to explore more and deeper network protocol states. Our evaluation shows that, compared with the state-of-the-art network protocol greybox fuzzer AFLNET, SNPSFuzzer increases the speed of network protocol fuzzing by 112.0%-168.9% and improves path coverage by 21.4%-27.5% within 24 hours. Moreover, SNPSFuzzer exposes a previously unreported vulnerability in program Tinydtls.