SMBugFinder: An Automated Framework for Testing Protocol Implementations for State Machine Bugs
Authors: 
Paul Fiterău-Broştean, Bengt Jonsson, Konstantinos Sagonas, Fredrik TåquistAuthors Info & Claims
Paul Fiterău-Broştean, Bengt Jonsson, Konstantinos Sagonas, Fredrik TåquistAuthors Info & ClaimsPages 1866 - 1870
Abstract
Implementations of stateful network protocols must keep track of the presence, order and type of exchanged messages. Any errors, so-called state machine bugs, can compromise security. SMBugFinder provides an automated framework for detecting these bugs in network protocol implementations using black-box testing. It takes as input a state machine model of the protocol implementation which is tested and a catalogue of bug patterns for the protocol conveniently specified as finite automata. It then produces sequences that expose the catalogued bugs in the tested implementation. Connection to a harness allows SMBugFinder to validate these sequences. The technique behind SMBugFinder has been evaluated successfully on DTLS and SSH in prior work. In this paper, we provide a user-level view of the tool using the EDHOC protocol as an example.
References
[1]
George Argyros, Ioannis Stais, Suman Jana, Angelos D. Keromytis, and Aggelos Kiayias. 2016. SFADiff: Automated Evasion Attacks and Fingerprinting Using Black-box Differential Automata Learning. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16). ACM, 1690–1701. https://doi.org/10.1145/2976749.2978383
[2]
Sofia Cassel, Falk Howar, Bengt Jonsson, and Bernhard Steffen. 2016. Active learning for extended finite state machines. Formal Aspects of Computing, 28, 2 (2016), 01 April, 233–263. issn:1433-299X https://doi.org/10.1007/s00165-016-0355-5
[3]
Joeri de Ruiter and Erik Poll. 2015. Protocol State Fuzzing of TLS Implementations. In 24th USENIX Security Symposium. USENIX Association, 193–206. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/de-ruiter
[4]
Simon Dierl, Paul Fiterau-Brostean, Falk Howar, Bengt Jonsson, Konstantinos Sagonas, and Fredrik Tåquist. 2024. Scalable Tree-based Register Automata Learning. In Tools and Algorithms for the Construction and Analysis of Systems, Bernd Finkbeiner and Laura Kovács (Eds.) (LNCS, Vol. 14571). Springer Nature Switzerland, Cham. 87–108. isbn:978-3-031-57249-4 https://doi.org/10.1007/978-3-031-57249-4_5
[5]
Tiago Ferreira, Harrison Brewton, Loris D’Antoni, and Alexandra Silva. 2021. Prognosis: Closed-box Analysis of Network Protocol Implementations. In ACM SIGCOMM 2021 Conference. ACM, 762–774. https://doi.org/10.1145/3452296.3472938
[6]
Paul Fiterau-Brostean, Bengt Jonsson, Konstantinos Sagonas, and Fredrik Tåquist. 2023. Automata-Based Automated Detection of State Machine Bugs in Protocol Implementations. In 30th Annual Network and Distributed System Security Symposium (NDSS 2023). The Internet Society. https://www.ndss-symposium.org/ndss-paper/automata-based-automated-detection-of-state-machine-bugs-in-protocol-implementations/
[7]
Paul Fiterău-Broştean, Ramon Janssen, and Frits W. Vaandrager. 2016. Combining Model Learning and Model Checking to Analyze TCP Implementations. In Computer Aided Verification - 28th International Conference, CAV 2016, Proceedings, Part II (LNCS, Vol. 9780). Springer, 454–471. https://doi.org/10.1007/978-3-319-41540-6_25
[8]
Paul Fiterău-Broştean, Bengt Jonsson, Robert Merget, Joeri de Ruiter, Konstantinos Sagonas, and Juraj Somorovsky. 2020. Analysis of DTLS Implementations Using Protocol State Fuzzing. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2523–2540. https://www.usenix.org/conference/usenixsecurity20/presentation/fiterau-brostean
[9]
Paul Fiterău-Broştean, Bengt Jonsson, Konstantinos Sagonas, and Fredrik Tåquist. 2022. DTLS-Fuzzer: A DTLS Protocol State Fuzzer. In 15th IEEE International Conference on Software Testing, Verification and Validation (ICST 2022). IEEE, 456–458. https://doi.org/10.1109/ICST53961.2022.00051
[10]
Paul Fiterău-Broştean, Toon Lenaerts, Joeri de Ruiter, Erik Poll, Frits W. Vaandrager, and Patrick Verleg. 2017. Model Learning and Model Checking of SSH Implementations. In Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software (SPIN 2017). ACM, 142–151. isbn:978-1-4503-5077-8 https://doi.org/10.1145/3092282.3092289
[11]
Paul Fiterău-Broştean, Konstantinos Sagonas, Fredrik Tåquist, and Bengt Jonsson. 2024. SMBugFinder: An Automated Framework for Testing Protocol Implementations for State Machine Bugs. https://doi.org/10.5281/zenodo.12665353 Artifact for the ISSTA ’24 paper with the same title
[12]
Jiaxing Guo, Chunxiang Gu, Xi Chen, and Fushan Wei. 2019. Model Learning and Model Checking of IPSec Implementations for Internet of Things. IEEE Access, 7 (2019), Nov., 171322–171332. https://doi.org/10.1109/ACCESS.2019.2956062
[13]
Syed Rafiul Hussain, Imtiaz Karim, Abdullah Al Ishtiaq, Omar Chowdhury, and Elisa Bertino. 2021. Noncompliance as Deviant Behavior: An Automated Black-box Noncompliance Checker for 4G LTE Cellular Devices. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS ’21). ACM, 1082–1099. https://doi.org/10.1145/3460120.3485388
[14]
Malte Isberner, Falk Howar, and Bernhard Steffen. 2014. The TTT Algorithm: A Redundancy-Free Approach to Active Automata Learning. In Runtime Verification: 5th International Conference, RV 2014, Proceedings (LNCS, Vol. 8734). Springer, 307–322. https://doi.org/10.1007/978-3-319-11164-3_26
[15]
Konstantinos Sagonas and Thanasis Typaldos. 2023. EDHOC-Fuzzer: An EDHOC protocol state fuzzer. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, René Just and Gordon Fraser (Eds.) (ISSTA ’23). ACM, New York, NY, USA. 1495–1498. https://doi.org/10.1145/3597926.3604922
[16]
Göran Selander, John Preuß Mattsson, and Francesca Palombini. 2024. Ephemeral Diffie-Hellman Over COSE (EDHOC). RFC 9528. https://doi.org/10.17487/RFC9528
[17]
Martin Tappler, Bernhard K. Aichernig, and Roderick Bloem. 2017. Model-Based Testing IoT Communication via Active Automata Learning. In IEEE International Conference on Software Testing, Verification and Validation (ICST 2017). IEEE Computer Society, 276–287. https://doi.org/10.1109/ICST.2017.32
[18]
Online; accessed 31-July-2024. TLS-Attacker. https://github.com/tls-attacker/TLS-Attacker
[19]
Frits Vaandrager, Bharat Garhewal, Jurriaan Rot, and Thorsten Wiß mann. 2022. A New Approach for Active Automata Learning Based on Apartness. In Tools and Algorithms for the Construction and Analysis of Systems, Dana Fisman and Grigore Rosu (Eds.) (LNCS, Vol. 13243). Cham. 223–243. https://doi.org/10.1007/978-3-030-99524-9_12
[20]
Frits W. Vaandrager. 2017. Model learning. Commun. ACM, 60, 2 (2017), 86–95. https://doi.org/10.1145/2967606
Index Terms
- SMBugFinder: An Automated Framework for Testing Protocol Implementations for State Machine Bugs
Recommendations
Monitor-based Testing of Network Protocol Implementations Using Symbolic Execution
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and SecurityImplementations of network protocols must conform to their specifications in order to avoid security vulnerabilities and interoperability issues. To detect errors, testing must investigate an implementation’s response to a wide range of inputs, ...
EDHOC-Fuzzer: An EDHOC Protocol State Fuzzer
ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and AnalysisEDHOC is a compact and lightweight authenticated key exchange protocol proposed by the IETF, whose design focuses on small message sizes, in order to be suitable for constrained IoT communication technologies. In this tool paper, we overview EDHOC-...
Protocol Security Testing with SPIN and TTCN-3
ICSTW '11: Proceedings of the 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation WorkshopsProtocol security testing is an important technique to ensure the security of communication protocols. However, methods considering both effective detection to specification vulnerabilities and efficient testing on protocol implementations are not well ...
Comments
Information & Contributors
Information
Published In
September 2024
1928 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution-ShareAlike International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 11 September 2024
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Funding Sources
- Vetenskapsrådet
- Stiftelsen för Strategisk Forskning
- Knut och Alice Wallenbergs Stiftelse
Conference
ISSTA '24
Sponsor:
ISSTA '24: 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis
September 16 - 20, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 58 of 213 submissions, 27%
Upcoming Conference
ISSTA '25
- Sponsor:
- sigsoft
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 261Total Downloads
- Downloads (Last 12 months)261
- Downloads (Last 6 weeks)39
Reflects downloads up to 02 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in