| 引用本文: |
-
周怡,徐明杰,陈婧婷,李平,李丰,霍玮.RFCFuzz:一种RFC指导的网络协议模糊测试方法[J].信息安全学报,已采用 [点击复制]
- zhouyi,XU Mingjie,CHEN Jingting,LI Ping,LI Feng,HUO Wei.RFCFuzz: An RFC-guided network protocol fuzzing method[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 目前针对网络协议的模糊测试通常采用基于生成的黑盒测试方法。上述方法不仅依赖用户编写用于描述报文格式、变异及监控策略的配置文件,还存在难以有效触发网络协议实现中深层次的漏洞、难以有效监控信息泄露、认证绕过等隐式异常的问题。本文提出一种以协议的RFC标准文档为指导的网络协议模糊测试方法(简称RFCFuzz)。该方法借助从被测协议的公开RFC文档中提取或推导出的报文格式信息、报文及字段间的关联信息、响应信息等,指导模糊测试配置文件的自动生成、报文变异策略的选择以及对隐式异常行为的监控,有效缓解了配置文件编写依赖人工以及深层次漏洞难以触发、监控的问题。基于该方法实现网络协议模糊测试原型系统RFCFuzz@VARAS,在域名协议(DNS)、动态主机配置协议(DHCP)以及边界网关协议(BGP)3个常用基础协议的13个实现的历史版本中,挖掘已知漏洞的效率较使用相同配置文件的Boofuzz平均提升17倍,并在Knot, NSD和Bird的最新版本中发现未公开缺陷3个。 |
| 关键词: 网络协议 模糊测试 RFC文档 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2024.02.09 |
| 投稿时间:2021-12-27修订日期:2022-02-26 |
| 基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目) |
|
| RFCFuzz: An RFC-guided network protocol fuzzing method |
|
zhouyi, XU Mingjie, CHEN Jingting, LI Ping, LI Feng, HUO Wei
|
| (Institute of Information Engineering, Cas) |
| Abstract: |
| Recent network protocol fuzzing methods usually adopt a generation-based black-box testing technique. These methods heavily rely on human effort to write configuration files that describe the network packet format each protocol may ac-cept, the mutating strategies chosen for each packet fields, as well as the strategies for monitoring abnormal behaviors during fuzzing. These methods also have difficulties in triggering deep vulnerabilities of network protocol implementations and monitoring implicit abnormal behaviors such as information leakage or authentication bypass during fuzzing. In this paper, we propose an RFC-guided network protocol fuzzing method (abbr. RFCFuzz). For a given protocol implementa-tion, our method extracts or deduces following information from its corresponding Request for Comment (RFC) standard documents, including information about each network packet format, information about relationships among packet fields or different types of packets, and the responding information when receiving a certain type of packet. Our method then uses the information to automatically generate a configuration file, choose mutation strategies for each packet field, and guide the monitoring of implicit abnormal behaviors during fuzzing. In this way, we alleviate human efforts spent on writing configuration file and improve the efficiency of triggering and monitoring deep vulnerabilities when fuzzing a net-work protocol implementation. Based on this method, we implemented a prototype named RFCFuzz@VARA for network protocol fuzzing and demonstrated its efficacy by applying it on 13 historical implementations of 3 popular network basic protocols, including Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP) and Border Gateway Protocol (BGP). Comparing with Boofuzz, a state-of-art generation-based fuzzing method, RFCFuzz@VARA improved the efficiency of detecting known vulnerabilities in these implementations by 17 times on average using the same config-uration files generated by our method. We have also found 3 unknown defects in the latest versions of three above-mentioned protocol implementations (i.e., Knot, NSD and Bird), respectively. |
| Key words: Network protocol Fuzzing Request for Comment(RFC). |
