Skip to content

protocol-fuzzing/stateful-fuzzing

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

102 Commits
dtls-fuzzer
dtls-fuzzer
 
 
edhoc-fuzzer
edhoc-fuzzer
 
 
profuzzbench
profuzzbench
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Stateful Fuzzing

This project regroups some tools for the fuzzing of communication protocol with state-aware approach. The technique used here consists in two steps:

  • first an automata representing the SUT (System Under Test) is learned,
  • then this model is used to drive the fuzzing.

Each stage is performed inside a controlled environment i.e. a docker container. Thus we can ensure some consistency between the two steps, and hopefully produce better results.

The only protocol supported so far is DTLS.

The learning step is carried out by DTLS-Fuzzer. The fuzzing can be carried out by the following fuzzers (for comparison):

The fuzzing step is integrated in an extension of ProFuzzBench.

Workflow

0 Build the docker for DTLS-Fuzzer

Run:

cd dtls-fuzzer
docker build -t dtls-fuzzer .

See dtls-fuzzer/README.md for more information.

1 Fuzz with AFLNet or StateAFL

1.1 Produce some seeds

Use the script df_concretize_seeds.sh, in the subfolder dtls-fuzzer. See dtls-fuzzer/README.md for more information.

1.2 Copy the seeds in the fuzzing docker

  • For AFLNet, copy the files *.raw from the concretized seeds folder to the corresponding folder in ProFuzzBench: profuzzbench/subjects/DTLS/[SUT]/in-dtls/. Build the docker of the target SUT:
cd profuzzbench/subjects/DTLS/[SUT]/
docker build -t profuzz-[SUT] .
  • For StateAFL, copy the files *.replay from the concretized seeds folder to the corresponding folder in ProFuzzBench: profuzzbench/subjects/DTLS/[SUT]/in-dtls-replay/. Build the docker of the target SUT:
cd profuzzbench/subjects/DTLS/[SUT]/
docker build -t profuzz-[SUT]-stateafl . -f Dockerfile-stateafl

1.3 Fuzz

Use the script of ProFuzzBench to run the fuzzing, for example:

cd profuzzbench
source profuzz-init.sh
profuzzbench_exec_common.sh profuzz-openssl-1.1.1 4 results-openssl-1.1.1/20230629/ aflnet out-openssl-aflnet "-P DTLS12 -D 10000 -q 3 -s 3 -E -K -R -W 20 -m none -t 1000+" 172800 5

See profuzzbench/README.md for more information.

2. To fuzz with AFL-ML

2.1 Learn the state machine model

Use the script df_learn_automata.sh, in the subfolder dtls-fuzzer. See dtls-fuzzer/README.md for more information.

2.2 Concretize seeds

Use the script df_concretize_automata.sh, in the subfolder dtls-fuzzer. See dtls-fuzzer/README.md for more information.

2.3 Copy the seeds in the fuzzing docker

Copy the files *.replay and *.length from the concretized seeds folder to the corresponding folder in ProFuzzBench: profuzzbench/subjects/DTLS/[SUT]/in-dtls-aflml/. Build the docker of the target SUT:

cd profuzzbench/subjects/DTLS/[SUT]/
docker build -t profuzz-[SUT] . -f Dockerfile

2.4 Fuzz

Use the script of ProFuzzBench to fuzz, for example:

cd profuzzbench
source profuzz-init.sh
profuzzbench_exec_common.sh profuzz-etinydtls 4 results-etinydtls/20230704/ aflml out-etinydtls-aflml "-P DTLS12 -D 10000 -q 3 -s 3 -E -K -R -W 30 -m none -t 1000+" 172800 5

See profuzzbench/README.md for more information.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages