Skip to main content
SpringerLink
Log in

Network protocol fuzz testing for information systems and applications: a survey and taxonomy

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

Fuzzing or fuzz testing has been introduced as a software testing technique to reduce vulnerabilities in software systems or given targets. To achieve a maximum benefit-to-cost ratio and without complication, we use fuzz testing [11]. In addition, during the development and debugging of a system, we may fail to notice the kinds of shortcoming that fuzz testing can expose. Fuzz testing types are different depending on the target they fuzz. Application, file format, and protocol fuzzing are the most common fuzzing types. A protocol fuzzer sends counterfeit packets to a target system while changing the normal packet en-route and sometimes replaying them. In addition, a protocol fuzzer sometimes acts as proxy server for clients. This survey study examines network protocol fuzz testing. We identified several studies on network protocol fuzzing. Most focus on application layers of the Open Systems Interconnection model. We primarily review the approaches of five studies and the targets and protocol layers they fuzz. We then develop criteria to compare these approaches in detail.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

References

  1. Allar J (2013) Practical File Format Fuzzing. http://www.irongeek.com/i.php?page=videos/derbycon3/3301-practical-file-format-fuzzing-jared-allar. Accessed 23 Jul 2015

  2. Apache APR PSPrintf Memory Corruption Vulnerability. http://www.securityfocus.com/bid/7723

  3. Gorbunov S, Rosenbloom A (2010) AutoFuzz: automated network protocol fuzzing framework. Department of mathematical and Computation Sciences, University of Toronto Mississauga, Canada

  4. Green Hackerz, available at : http://www.greenhackerz.com/

  5. Han X, Wen Q, Zhang Z (2012) A mutation-based fuzz testing approach for network protocol vulnerability detection. Beijing University of Posts and Telecommunications, Beijing

    Book  Google Scholar 

  6. http://cs-websubmit.bu.edu/main.py?courseid=cs558CS558: LAB 1: Program fuzzing

  7. Kitagawa T, Hanaoka M, Kono K (2010) AspFuzz: a state-aware protocol fuzzer based on application-layer protocols. Department of Information and Computer Science, Keio University, 3-14-1, Yokohama

  8. Lee DH, Kim SY, Choi DS, Oh HG (2008) File fuzzing system using field information and fault-injection rule. http://www.sersc.org/journals/JSE/vol5_no6_2008/5.pdf. Accessed 23 Jul 2015

  9. Ma R, Ji W, Hu C, Shan C, Peng W (2014) Fuzz testing data generation for network protocol using classification tree. School of Software, Beijing Institute of Technology, Beijing

    Google Scholar 

  10. Park KC, Shin H, Park WH, Lim JI (2014) New detection method and countermeasure of cyber-attacks in mix networks. Multimedia Tools and Applications, Springer Science plus business Media, Newyork

  11. Rouse M (2010) Fuzz Testing (fuzzing). http://www.privatehomepage.com. Accessed 23 Jul 2015

  12. Shu G, Hsu Y, Lee D (2008) Detecting communication protocol security flaws by formal fuzz testing and machine learning. Department of Computer Science and Engineering, the Ohio State University Columbus, USA

    Book  Google Scholar 

  13. Sutten M, Greene A (2005) The Art of File Format Fuzzing. http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-sutton.pdf. Accessed 22 Jul 2015

  14. Sutton M, Greene A, Amini P (2007) Fuzzing: brute force vulnerability discovery. Addison-Wesley Professional, Indiana

  15. Takanen A, Demott JD, Miller C (2008) Fuzzing for software security testing and quality assurance. Artech House, Boston

  16. The National Vulnerability Database (2014) Available at https://nvd.nist.gov/home.cfm

  17. Tsankov P, Dashti MT, Basin D (2012) SecFuzz: fuzz-testing security protocols. Institute of Information Security, ETH Zurich

  18. Wang J, Guo T, Zhang P, Xiao Q (2013) A model-based behavioral fuzzing approach for network service. China Information Technology Security Evaluation Center, Beijing. doi:10.1109/IMCCC.2013.250

  19. Zhao J, Chen S, Liang S, Cui B (2013) RFSM: a smart fuzzing algorithm based on regression FSM. Beijing University of Posts and Telecommunications, Beijing

    Google Scholar 

Download references

Acknowledgments

This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (NRF-2015R1A1A1A05001238).

Author information

Authors and Affiliations

  1. Division of Computer Engineering, Ajou University, Suwon, Gyeonggi-do, 443-749, Republic of Korea

    Tewodros Legesse Munea, Hyunwoo Lim & Taeshik Shon

Authors
  1. Tewodros Legesse Munea
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyunwoo Lim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Taeshik Shon
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Taeshik Shon.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Munea, T.L., Lim, H. & Shon, T. Network protocol fuzz testing for information systems and applications: a survey and taxonomy. Multimed Tools Appl 75, 14745–14757 (2016). https://doi.org/10.1007/s11042-015-2763-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-015-2763-6

Keywords

Search

Navigation