NAFuzzer: Augmenting Network Protocol Fuzzers via Automatic Template and Seed Generation

Fuzzing is one of the most popular software analysis techniques for discovering vulnerabilities. Different from common terminal software, servers should be interacted with well-formed message that conforms to protocol specifications to exercise more functions. However, without protocol specifications, random bit flipping is unlikely to generate valid messages, making fuzzing struggle to traverse the deeper branches of the program. What’s more, manually extracting specifications is typically labor-intensive. In this paper, we present NAFuzzer, a format-aware fuzzing framework for network protocol software. Based on the key insight that similar message fields being parsed at similar locations in the program, NAFuzzer collects constraints of message handling process using replay-based concolic execution, then runs Loop Mapping algorithm to infer the protocol format, and finally uses the format information to generate seeds and perform fuzzing. We implemented and evaluated NAFuzzer on 6 real-world protocol software (LightFTP, Exim, Live555, NetSNMP, Dnsmasq, TinyHTTPd). The results show that NAFuzzer can extract the message formats of six protocol software with a field recognition accuracy of close to 90%. In fuzzing, it achieves higher branch coverage (up to 27.3%) and discovers more paths (up to 38.2%) compared to state-of-the-art fuzzers without any manual involvement.