Skip to content

Latest commit

 

History

History
94 lines (69 loc) · 3.75 KB

README.md

File metadata and controls

94 lines (69 loc) · 3.75 KB

Stateful Fuzzing

This project regroups some tools for the fuzzing of communication protocol with state-aware approach. The technique used here consists in two steps:

  • first an automata representing the SUT (System Under Test) is learned,
  • then this model is used to drive the fuzzing.

Each stage is performed inside a controlled environment i.e. a docker container. Thus we can ensure some consistency between the two steps, and hopefully produce better results.

The only protocol supported so far is DTLS.

The learning step is carried out by DTLS-Fuzzer. The fuzzing can be carried out by the following fuzzers (for comparison):

The fuzzing step is integrated in an extension of ProFuzzBench.

Workflow

0 Build the docker for DTLS-Fuzzer

Run:

cd dtls-fuzzer
docker build -t dtls-fuzzer .

See dtls-fuzzer/README.md for more information.

1 Fuzz with AFLNet or StateAFL

1.1 Produce some seeds

Use the script df_concretize_seeds.sh, in the subfolder dtls-fuzzer. See dtls-fuzzer/README.md for more information.

1.2 Copy the seeds in the fuzzing docker

  • For AFLNet, copy the files *.raw from the concretized seeds folder to the corresponding folder in ProFuzzBench: profuzzbench/subjects/DTLS/[SUT]/in-dtls/. Build the docker of the target SUT:
cd profuzzbench/subjects/DTLS/[SUT]/
docker build -t profuzz-[SUT] .
  • For StateAFL, copy the files *.replay from the concretized seeds folder to the corresponding folder in ProFuzzBench: profuzzbench/subjects/DTLS/[SUT]/in-dtls-replay/. Build the docker of the target SUT:
cd profuzzbench/subjects/DTLS/[SUT]/
docker build -t profuzz-[SUT]-stateafl . -f Dockerfile-stateafl

1.3 Fuzz

Use the script of ProFuzzBench to run the fuzzing, for example:

cd profuzzbench
source profuzz-init.sh
profuzzbench_exec_common.sh profuzz-openssl-1.1.1 4 results-openssl-1.1.1/20230629/ aflnet out-openssl-aflnet "-P DTLS12 -D 10000 -q 3 -s 3 -E -K -R -W 20 -m none -t 1000+" 172800 5

See profuzzbench/README.md for more information.

2. To fuzz with AFL-ML

2.1 Learn the state machine model

Use the script df_learn_automata.sh, in the subfolder dtls-fuzzer. See dtls-fuzzer/README.md for more information.

2.2 Concretize seeds

Use the script df_concretize_automata.sh, in the subfolder dtls-fuzzer. See dtls-fuzzer/README.md for more information.

2.3 Copy the seeds in the fuzzing docker

Copy the files *.replay and *.length from the concretized seeds folder to the corresponding folder in ProFuzzBench: profuzzbench/subjects/DTLS/[SUT]/in-dtls-aflml/. Build the docker of the target SUT:

cd profuzzbench/subjects/DTLS/[SUT]/
docker build -t profuzz-[SUT] . -f Dockerfile

2.4 Fuzz

Use the script of ProFuzzBench to fuzz, for example:

cd profuzzbench
source profuzz-init.sh
profuzzbench_exec_common.sh profuzz-etinydtls 4 results-etinydtls/20230704/ aflml out-etinydtls-aflml "-P DTLS12 -D 10000 -q 3 -s 3 -E -K -R -W 30 -m none -t 1000+" 172800 5

See profuzzbench/README.md for more information.