Study Of Fuzzing For Implementation Of Stateful Network Protocol Based On Dynamic Taint Analysis

Fuzzing is currently one of the most powerful testing methodologies widely used in the area of software security testing and vulnerability mining. Building efficient and precise security testing system with high-coverage is the key point and hot area for both research and industry. However, the traditional fuzzing technique has the weakness of blind generation of testing cases, low performance in execution efficiency and insufficient support for stateful network protocols. Aimed at above issues, this thesis studies how to apply the technique of dynamic taint analysis to the fuzzing of stateful network protocol implementations efficiently. Our work includes:Firstly, the approach of heuristic test case generating based on dynamic taint analysis (DTA) is proposed. DTA is used to trace how the program processes untrustworthy data, and then mine the potential attacking points in the test cases by monitoring potential error points in the program. The method treat the potential attacking points as heuristic information in the generation of testing cases and greatly reduce the blindness in test case generation with higher testing performance.Secondly, we present a new fuzzing framework oriented to the security testing of complex stateful protocols which is unsatisfactorily supported by most testing. Our framework use state machine to descript stateful protocols, and then design and implement easy-extended description script language of stateful protocols, which could generate test cases of stateful protocols with high-coverage. Combining the result of DTA, this framework heuristically makes use of the abnormity database in the mutation-based test case generation.At last, we design and implement SmartFuzzer, a stateful protocol fuzzing system based on DTA, which is capable to effectively mine the potential vulnerabilities in the target program. Based on the compare with the other fuzzing systems, we validate that SmartFuzzer has more not only pertinence in test case generating, but also accuracy and efficiency in vulnerability mining.