Skip to main content
Springer Nature Link
Log in

Pulsar: Stateful Black-Box Fuzzing of Proprietary Network Protocols

  • Conference paper
Security and Privacy in Communication Networks (SecureComm 2015)

Abstract

The security of network services and their protocols critically depends on minimizing their attack surface. A single flaw in an implementation can suffice to compromise a service and expose sensitive data to an attacker. The discovery of vulnerabilities in protocol implementations, however, is a challenging task: While for standard protocols this process can be conducted with regular techniques for auditing, the situation becomes difficult for proprietary protocols if neither the program code nor the specification of the protocol are easily accessible. As a result, vulnerabilities in closed-source implementations can often remain undiscovered for a longer period of time. In this paper, we present Pulsar, a method for stateful black-box fuzzing of proprietary network protocols. Our method combines concepts from fuzz testing with techniques for automatic protocol reverse engineering and simulation. It proceeds by observing the traffic of a proprietary protocol and inferring a generative model for message formats and protocol states that can not only analyze but also simulate communication. During fuzzing this simulation can effectively explore the protocol state space and thereby enables uncovering vulnerabilities deep inside the protocol implementation. We demonstrate the efficacy of Pulsar in two case studies, where it identifies known as well as unknown vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Abdelnur, H.J., State, R., Festor, O.: KiF: a stateful SIP fuzzer. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM), pp. 47–56 (2007)

    Google Scholar 

  2. Banks, G., Cova, M., Felmetsger, V., Almeroth, K., Kemmerer, R., Vigna, G.: SNOOZE: toward a stateful NetwOrk prOtocol fuzZEr. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 343–358. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  3. Beddoe, M.: The protocol informatics project, July 2015. http://www.4tphi.net/~awalters/PI/PI.html

  4. Beddoe, M.A.: Network protocol analysis using bioinformatics algorithms. Technical report, McAfee Inc. (2005)

    Google Scholar 

  5. Bossert, G., Guihéry, F., Hiet, G.: Towards automated protocol reverse engineering using semantic information. In: Proc. of ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2014)

    Google Scholar 

  6. Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: Proc. of ACM Conference on Computer and Communications Security (CCS) (2007)

    Google Scholar 

  7. Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: Proc. of IEEE Symposium on Security and Privacy, pp. 380–394 (2012)

    Google Scholar 

  8. Cho, C.Y., Babić, D., Shin, E.C.R., Song, D.: Inference and analysis of formal models of botnet command and control protocols. In: Proc. of ACM Conference on Computer and Communications Security (CCS) (2010)

    Google Scholar 

  9. Comparetti, P.M., Wondracek, G., Kruegel, C., Kirda, E.: Prospex: protocol specification extraction. In: Proc. of IEEE Symposium on Security and Privacy (2009)

    Google Scholar 

  10. Cui, W., Paxson, V., Weaver, N.C., Katz, R.H.: Protocol-independent adaptive replay of application dialog. In: Proc. of Network and Distributed System Security Symposium (NDSS) (2006)

    Google Scholar 

  11. Cui, W., Peinado, M., Chen, K., Wang, H.J., Irun-Briz, L.: Tupni: automatic reverse engineering of input formats. In: Proc. of ACM Conference on Computer and Communications Security (CCS) (2008)

    Google Scholar 

  12. Deja vu Security. Peachfuzzer, July 2015

    Google Scholar 

  13. Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Communications of the ACM 55(3), 40–44 (2012)

    Article  Google Scholar 

  14. Gorbunov, S., Rosenbloom, A.: AutoFuzz: Automated network protocol fuzzing framework. International Journal of Computer Science and Network Security (IJCSNS) 10(8), 239–245 (2010)

    Google Scholar 

  15. Haller, I., Slowinska, A., Neugschwandtner, M., Bos, H.: Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In: Proc. of USENIX Security Symposium, pp. 49–64 (2013)

    Google Scholar 

  16. Hastie, T., Tibshirani, R., Friedman, J.: The Elements of Statistical Learning: data mining, inference and prediction. Springer Series in Statistics. Springer, New York (2001)

    Book  MATH  Google Scholar 

  17. Hsu, Y., Shu, G., Lee, D.: A model-based approach to security flaw detection of network protocol implementations. In: Proc. of IEEE International Conference on Network Protocols (ICNP), pp. 114–123 (2008)

    Google Scholar 

  18. Jang, J., Agrawal, A., Brumley, D.: ReDeBug: finding unpatched code clones in entire os distributions. In: Proc. of IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  19. Krueger, T., Gascon, H., Krämer, N., Rieck, K.: Learning stateful models for network honeypots. In: Proc. of ACM Workshop on Artificial Intelligence and Security (AISEC), pp. 37–48, October 2012

    Google Scholar 

  20. Krueger, T., Krämer, N., Rieck, K.: ASAP: automatic semantics-aware analysis of network payloads. In: Dimitrakakis, C., Gkoulalas-Divanis, A., Mitrokotsa, A., Verykios, V.S., Saygin, Y. (eds.) PSDML 2010. LNCS (LNAI), vol. 6549, pp. 50–63. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  21. Lee, D., Seung, H.: Learning the parts of objects by non-negative matrix factorization. Nature 401, 788–791 (1999)

    Article  Google Scholar 

  22. Leita, C., Dacier, M., Massicotte, F.: Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 185–205. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  23. Leita, C., Mermoud, K., Dacier, M.: Scriptgen: an automated script generation tool for honeyd. In: Proc. of Annual Computer Security Applications Conference (ACSAC) (2005)

    Google Scholar 

  24. Lin, Z., Jiang, X., Xu, D.: Automatic protocol format reverse engineering through context-aware monitored execution. In: Proc. of Network and Distributed System Security Symposium (NDSS) (2008)

    Google Scholar 

  25. Livshits, B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: Proc. of USENIX Security Symposium (2005)

    Google Scholar 

  26. Moore, E.F.: Gedanken-experiments on sequential machines. Automata Studies 34, 129–153 (1956)

    MathSciNet  Google Scholar 

  27. Moore, H.: Security flaws in universal plug and play: Unplug. don’t play. Technical report, Rapid 7 (2013)

    Google Scholar 

  28. Newsome, J., Brumley, D., Franklin, J.: Replayer: automatic protocol replay by binary analysis. In: Proc. of ACM Conference on Computer and Communications Security (CCS) (2006)

    Google Scholar 

  29. Rice, H.G.: Classes of recursively enumerable sets and their decision problems. Transactions of the American Mathematical Society 74, 358–366 (1953)

    Article  MathSciNet  MATH  Google Scholar 

  30. Schieferdecker, I., Grossmann, J., Schneider, M.: Model-based security testing. Electronic Proceedings in Theoretical Computer Science 80, 1–12 (2012)

    Article  Google Scholar 

  31. Schwartz, E., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proc. of IEEE Symposium on Security and Privacy, pp. 317–331 (2010)

    Google Scholar 

  32. Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional (2007)

    Google Scholar 

  33. Whalen, S., Bishop, M., Crutchfield, J.P.: Hidden markov models for automated protocol learning. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICST, vol. 50, pp. 415–428. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  34. Wondracek, G., Comparetti, P., Kruegel, C., Kirda, E.: Automatic network protocol analysis. In: Proc. of Network and Distributed System Security Symposium (NDSS) (2008)

    Google Scholar 

  35. Woo, M., Cha, S.K., Gottlieb, S., Brumley, D.: Scheduling blackbox mutational fuzzing. In: Proc. of ACM Conference on Computer and Communications Security (CCS) (2013)

    Google Scholar 

  36. Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: Proc. of IEEE Symposium on Security and Privacy (S&P), May 2015

    Google Scholar 

  37. Yamaguchi, F., Wressnegger, C., Gascon, H., Rieck, K.: Chucky: exposing missing checks in source code for vulnerability discovery. In: Proc. of ACM Conference on Computer and Communications Security (CCS), pp. 499–510, November 2013

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Security Group, University of Göttingen, Göttingen, Germany

    Hugo Gascon, Christian Wressnegger, Fabian Yamaguchi, Daniel Arp & Konrad Rieck

Authors
  1. Hugo Gascon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Wressnegger
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabian Yamaguchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Daniel Arp
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Konrad Rieck
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hugo Gascon .

Editor information

Editors and Affiliations

  1. The University of Texas at Dallas, Richardson, Texas, USA

    Bhavani Thuraisingham

  2. Indiana University at Bloomington, Bloomington, Indiana, USA

    XiaoFeng Wang

  3. SRI International, Menlo Park, California, USA

    Vinod Yegneswaran

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Gascon, H., Wressnegger, C., Yamaguchi, F., Arp, D., Rieck, K. (2015). Pulsar: Stateful Black-Box Fuzzing of Proprietary Network Protocols. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham. https://doi.org/10.1007/978-3-319-28865-9_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-28865-9_18

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-28864-2

  • Online ISBN: 978-3-319-28865-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics