Network protocol vulnerability detection method and system based on message sequence attribution optimization
By optimizing message sequence attribution and mutation point analysis, the shortcomings of existing tools in message sequence attribution and evaluation are addressed, improving the efficiency and effectiveness of network protocol fuzz testing and achieving higher code coverage and vulnerability discovery.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HANGZHOU DIANZI UNIV
- Filing Date
- 2023-05-16
- Publication Date
- 2026-07-03
AI Technical Summary
Existing gray-box fuzzing tools for network protocols have a coarse strategy when attributing message sequences, a single evaluation dimension, and cannot accurately assess the potential of each message sequence. Furthermore, the selection of mutation point locations is not precise enough, resulting in low code coverage and insufficient vulnerability discovery capabilities.
By calculating the preference of the message sequence for each state, the message sequence attribution is optimized. An evaluation function is constructed by combining multidimensional feedback information, more promising message sequences are selected for testing, and a mutation point analysis algorithm is designed to filter out mutated positions and prioritize the mutation of other interesting positions.
It improves the code coverage and vulnerability discovery capabilities of fuzzing, enabling deeper exploration of code and state within the same timeframe to uncover more security vulnerabilities.
Smart Images

Figure CN116827597B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network protocol security detection technology, specifically relating to a network protocol vulnerability detection method and system based on message sequence attribution optimization. Background Technology
[0002] Fuzzing is one of the most effective techniques for discovering potential vulnerabilities in network protocol entities.
[0003] Recently, AFLNET, a gray-box fuzzing tool for network protocols based on coverage guidance, has become one of the most watched technologies in the field of network protocol fuzzing. Many excellent research results have been developed based on it, such as SNPSFuzzer, NSFuzz, StateAFL, and AFLNetLegion. However, these fuzzing tools employ relatively crude strategies when assigning message sequences. Specifically, they fail to consider that the same message sequence produces different benefits for different states, use too few dimensions to evaluate the value of message sequences, making it difficult to accurately assess the true potential of each message sequence, and limit the selection of mutation points to a single location, ignoring other interesting mutation locations.
[0004] Existing research on gray-box fuzzing methods for network protocols mainly includes the following open-source tools, patents, and papers:
[0005] AFLNET is a gray-box fuzzing tool for network protocols based on coverage guidance. It maintains a message sequence pool for each state, containing all message sequences that enable the protocol entity to reach that state. When a newly generated message sequence is deemed interesting (i.e., adding new code coverage, generating a new state, or a new state transition), it is added to the message sequence pool maintained by the target state, without considering adding it to the message sequence pools maintained by other states, thus ignoring the fuzzing benefits the message sequence brings to other states. Secondly, when evaluating message sequences, it either treats each sequence equally (i.e., doesn't evaluate them at all) or uses overly simplistic evaluation dimensions, failing to accurately assess the true potential of each message sequence, thus preventing the fuzzing tool from selecting more promising message sequences for testing. Furthermore, a message sequence may have multiple mutation points, but AFLNET only mutates at a fixed mutation point, ignoring other interesting mutation points.
[0006] SNPSFuzzer proposes a mechanism based on snapshot dumping and snapshot recovery to improve the efficiency of fuzz testing. However, it still suffers from coarse message sequence attribution and overly simplistic dimensional information for evaluating message sequence value. Nevertheless, it prioritizes the last occurring target state as the mutation starting point when selecting the mutation point. AFLNetLegion proposes a variant of the Monte Carlo tree search algorithm for state selection and applies this algorithm to message sequence selection. It also combines two-dimensional feedback information to evaluate the value of the message sequence. NSFuzz and StateAFL focus on proposing a novel protocol state representation method to accurately abstract the state space within protocol entities; therefore, they share the same problems as AFLNET.
[0007] To address the aforementioned issues, this invention, based on the mainstream gray-box fuzzing tool AFLNET, proposes a network protocol vulnerability detection method and system based on message sequence attribution optimization. This invention better solves the problems existing in AFLNET and its derivatives in three aspects: message sequence attribution strategy, message sequence evaluation and selection, and selection of mutation point locations for message sequences. Furthermore, it helps each message sequence find and add to the optimal message sequence pool, more accurately evaluates the potential of each message sequence, and allows for mutation at more interesting locations, thereby improving the code coverage and vulnerability discovery capabilities of the protocol entity under test. Summary of the Invention
[0008] To address the problems existing in current gray-box fuzzing methods for network protocols regarding message sequence attribution, this invention aims to propose a network protocol vulnerability detection method and system based on message sequence attribution optimization. During testing, when a new interesting message sequence is generated, all states in the corresponding state sequence are extracted, and the preference degree of the message sequence for each state is calculated. This preference degree is then added to the message sequence pool maintained by the state with the highest preference degree. Furthermore, an evaluation function is constructed using test information generated by the current message sequence (the number of interesting message sequences generated by mutation, the number of times the message sequence is selected, the length of the message sequence, and whether it is the first time it has been fuzzed, etc.) to more accurately evaluate the potential value of each message sequence and prioritize testing message sequences with higher fuzzing potential. In addition, a mutation point analysis algorithm is designed to help the fuzzing tool filter out already mutated positions and instead mutate other more interesting mutation positions.
[0009] A network protocol vulnerability detection method based on message sequence attribution optimization includes the following steps: S1 Obtain the target code of the protocol under test, use the protocol under test to communicate, collect communication traffic, and generate an initial message sequence set;
[0010] S2 performs fuzz testing on the protocol under test based on the initial message sequence set;
[0011] S3 collects code coverage information and status feedback information generated by the tested protocol entity during the fuzzing process to determine whether the message sequence of the current test is an interesting message sequence.
[0012] Based on the message sequence that was determined to be interesting in step S3, step S4 returns to step S2 to perform the next round of fuzz testing.
[0013] Preferably, step S1, obtaining the target code of the protocol under test, specifically includes the following steps:
[0014] Obtain the entity program of the protocol under test, and use the compiler instrumentation tool afl-clang-fast++ to compile and instrument the entity program of the protocol under test to generate the target code of the protocol under test.
[0015] The communication using the protocol under test includes:
[0016] Start the target code of the protocol under test and its corresponding communication terminal, and initiate communication;
[0017] The collection of communication traffic includes: using the packet sniffing tool tcpdump to listen to all traffic on the port corresponding to the protocol entity, and collecting and storing this traffic;
[0018] The generation of the initial message sequence set includes: using the packet analysis tool Wireshark to parse the collected and saved traffic and extract all request message sequences as the initial message sequence set MSeqSet, where MSeqSet={M1, ..., M...} u ,...,M d}
[0019] Where M u This refers to the u-th message sequence in MSeqSet, where u = 1, ..., d, and d is the total number of message sequences. The message sequence refers to a linked list of messages, i.e., M... u =m u,1 ->...->m u,y ->...->m u,a m u,y Let y represent the y-th message in the u-th message sequence, where y = 1, ..., a, and a is M. uTotal number of messages.
[0020] Preferably, step S2 includes the following steps:
[0021] S2.1 Initialization Parameters
[0022] Construct a global variable array `state_ids`, perform protocol tests on each message sequence in the initial message sequence set `MSeqSet` obtained in step S1, collect the protocol states reached by the protocol entity program, and store them in the global variable array `state_ids`, where `state_ids={S1,...,S...}`. i ,...,S n},
[0023] Among them, S i Let i represent the i-th protocol state, i=1,...,n, where n is the total number of protocol states;
[0024] For each state S i Initialize and create a message sequence pool (Pool) i ={M i,1 ,...,M i,j ,...,M i,k}, where Pool i Represents the message sequence pool maintained by the i-th protocol state, and Pool i Each message in the protocol protocol enables the protocol entity program to reach protocol state S. i M i,j This represents the j-th message in the message sequence pool, where j = 1, ..., k, and k is the total number of messages in the message sequence pool.
[0025] S2.2 Select target state
[0026] From all protocol states in the state_ids array obtained in step S2.1, randomly select one protocol state as the target state S for protocol fuzzing. q , q=1,...,n,
[0027] Where n is the total number of protocol states;
[0028] S2.3 Select Message Sequence
[0029] If the target state S q The message sequence pool maintained q If the message sequence set MSeqSet is empty, then a random message sequence set MSeqSet is selected that will cause the protocol entity program to reach the target state S. q Message sequence M;
[0030] Otherwise, Pool q If it is not empty, then from Pool q The message sequence M with the highest evaluation value score is selected. The formula for calculating the evaluation value score of a message sequence is as follows:
[0031]
[0032] Here, MSeqValue refers to the evaluation value score of the message sequence, MSlen refers to the length of the message sequence; isFirst refers to whether the message sequence is being fuzz tested for the first time, with a value of 0 or 1; InterestedCnt refers to the number of interesting message sequences generated by mutating the current message sequence; chosenCnt refers to the number of times the current message sequence has been selected.
[0033] S2.4 Mutation Message Sequence
[0034] Based on the message sequence M obtained in step S2.3 and the target state S selected in step S2.2 q ;
[0035] The mutation point analysis algorithm is used to find the location of the mutation point, and then mutation is performed starting from the mutation point location. The specific content is as follows:
[0036] First, obtain the state sequence MStateSequence={S1,...,S} corresponding to M. b ,...,S w The corresponding marker array Mark={false1,...,true} and MStateSequence g ,...,false w1},
[0037] Where b=1,...,w,w is the length of MStateSequence, g=1,...,w1,w1 is the length of Mark array, true indicates that it has been mutated and tested, false indicates that it has not been mutated and tested;
[0038] Then, iterate through the entire state sequence MStateSequence to find the state S. q The same array index that is false in the Mark array is set to true, and the message sequence M is mutated using AFLNET's bit-level, byte-level, and message-level mutation strategies, starting from that position, to generate a new message sequence M'.
[0039] S2.5 Protocol Testing
[0040] Each message in M' obtained in step S2.4 is sent to the protocol entity under test in sequence for testing; if a vulnerability is triggered during the test, then M' is saved for vulnerability reproduction after the test is completed.
[0041] Preferably, step S3 includes the following steps:
[0042] AFLNET is used to collect feedback information, which includes code coverage information and status feedback information of the protocol entity under test.
[0043] If new code overriding or a new state newState is generated, then M' is interesting, and the new state newState is saved to the state_ids array and the process proceeds to step S4;
[0044] Otherwise, if no new code overwrite or new state is generated, discard M' and proceed to step 2.2.
[0045] Preferably, step S4 includes the following steps:
[0046] S4.1 Message Sequence Attribution
[0047] Extract the state sequence corresponding to the interesting M' in step S3
[0048] state_sequence={S1,...,S e ,...,S d},
[0049] Among them, S e This represents the e-th protocol state, where e = 1, ..., d, and d is the number of states in the state sequence state_sequence.
[0050] Calculate the preference degree for each state in the state sequence state_sequence;
[0051] Add M' to the message sequence pool maintained by the state with the highest preference.
[0052] The preference degree is used to measure the benefit that ambiguity can bring to a single message sequence under different states; the preference degree is calculated by multiplying the position of each state in the state sequence state_sequence and the value score of that state.
[0053] The state S at the position of the state sequence state_sequence t PreferenceValue(S)t The calculation formula for ) is as follows:
[0054] PreferenceValue(S t ) =
[0055] Among them, StateScore(S t ) is state S t The value score is calculated using the following formula:
[0056] StateScore(S t ) =
[0057] Where selected_times represents the number of times the state is selected; fuzzs represents the number of message sequences generated in the state; and paths represents the number of new state transitions generated in the state.
[0058] If multiple states appear in the state sequence state_sequence, the preference scores generated by these repeated states are summed to obtain the overall preference score for that state.
[0059] After the above operation of reassigning message sequence M', proceed to step 2.2 to perform the next round of protocol fuzz testing.
[0060] The present invention also provides a network protocol vulnerability detection system based on message sequence attribution optimization, including a test preparation module, a protocol fuzz testing module, an information feedback and analysis module, and a message sequence attribution module;
[0061] The test preparation module is used to compile and instrument the protocol entity under test using the mutation instrumentation tool afl-clang-fast++, capture and parse data packets using the tools tcpdump and Wireshark, and finally generate an initial message sequence set.
[0062] Protocol fuzzing module: This module mainly includes some general fuzzing steps for testing protocol entities; it selects a message sequence from the message sequence pool maintained by the target state, finds the mutation point of the message sequence and mutates it to generate a new message sequence, and then sends it to the protocol entity program for testing; if a vulnerability is triggered during the test, it is saved for vulnerability reproduction after the test is completed.
[0063] Information Feedback and Analysis Module: This module collects code coverage information and state feedback information of protocol entities during the protocol fuzzing process, and then analyzes whether it generates new code coverage information, new states, or new state transitions as the basis for judging whether the current test message sequence is interesting. Message sequences that are considered interesting will proceed to the next message sequence attribution stage for re-attribution.
[0064] Message sequence attribution module: This module is used to reassign interesting message sequences. It extracts the state sequence corresponding to the interesting message sequence, calculates the preference of the message sequence for each state in the state sequence according to the preference calculation formula, and finally adds the message sequence to the message sequence pool maintained by the state with the highest preference.
[0065] The present invention also provides a network protocol vulnerability detection system based on message sequence attribution optimization, including a test preparation module, a protocol fuzz testing module, an information feedback and analysis module, and a message sequence attribution module;
[0066] The test preparation module is used to obtain the entity program of the protocol under test, and to use the compiler instrumentation tool afl-clang-fast++ to compile and instrument the entity program of the protocol under test to generate the target code of the protocol under test.
[0067] The communication using the protocol under test includes:
[0068] Start the target code of the protocol under test and its corresponding communication terminal, and initiate communication;
[0069] The collection of communication traffic includes: using the packet sniffing tool tcpdump to listen to all traffic on the port corresponding to the protocol entity, and collecting and storing this traffic;
[0070] The generation of the initial message sequence set includes: using the packet analysis tool Wireshark to parse the collected and saved traffic and extract all request message sequences as the initial message sequence set MSeqSet, where MSeqSet={M1, ..., M...} u ,...,M d}
[0071] Where M u This refers to the u-th message sequence in MSeqSet, where u = 1, ..., d, and d is the total number of message sequences. The message sequence refers to a linked list of messages, i.e., M... u =m u,1 ->...->m u,y ->...->m u,a m u,yLet y represent the y-th message in the u-th message sequence, where y = 1, ..., a, and a is M. u Total number of messages;
[0072] The protocol fuzz testing module is used to perform the following steps:
[0073] S2.1 Initialization Parameters
[0074] Construct a global variable array `state_ids`, perform protocol tests on each message sequence in the initial message sequence set `MSeqSet` obtained in step S1, collect the protocol states reached by the protocol entity program, and store them in the global variable array `state_ids`, where `state_ids={S1,...,S...}`. i ,...,S n},
[0075] Among them, S i Let i represent the i-th protocol state, i=1,...,n, where n is the total number of protocol states;
[0076] For each state S i Initialize and create a message sequence pool (Pool) i ={M i,1 ,...,M i,j ,...,M i,k}, where Pool i Represents the message sequence pool maintained by the i-th protocol state, and Pool i Each message in the protocol protocol enables the protocol entity program to reach protocol state S. i M i,j This represents the j-th message in the message sequence pool, where j = 1, ..., k, and k is the total number of messages in the message sequence pool.
[0077] S2.2 Select target state
[0078] From all protocol states in the state_ids array obtained in step S2.1, randomly select one protocol state as the target state S for protocol fuzzing. q , q=1,...,n,
[0079] Where n is the total number of protocol states;
[0080] S2.3 Select Message Sequence
[0081] If the target state S q The message sequence pool maintained q If the message sequence set MSeqSet is empty, then a random message sequence set MSeqSet is selected that will cause the protocol entity program to reach the target state S.q Message sequence M;
[0082] Otherwise, Pool q If it is not empty, then from Pool q The message sequence M with the highest evaluation value score is selected. The formula for calculating the evaluation value score of a message sequence is as follows:
[0083]
[0084] Here, MSeqValue refers to the evaluation value score of the message sequence, MSlen refers to the length of the message sequence; isFirst refers to whether the message sequence is being fuzz tested for the first time, with a value of 0 or 1; InterestedCnt refers to the number of interesting message sequences generated by mutating the current message sequence; chosenCnt refers to the number of times the current message sequence has been selected.
[0085] S2.4 Mutation Message Sequence
[0086] Based on the message sequence M obtained in step S2.3 and the target state S selected in step S2.2 q ;
[0087] The mutation point analysis algorithm is used to find the location of the mutation point, and then mutation is performed starting from the mutation point location. The specific content is as follows:
[0088] First, obtain the state sequence MStateSequence={S1,...,S} corresponding to M. b ,...,S w The corresponding marker array Mark={false1,...,true} and MStateSequence g ,...,false w1},
[0089] Where b=1,...,w,w is the length of MStateSequence, g=1,...,w1,w1 is the length of Mark array, true indicates that it has been mutated and tested, false indicates that it has not been mutated and tested;
[0090] Then, iterate through the entire state sequence MStateSequence to find the state S. q The same array index that is false in the Mark array is set to true, and the message sequence M is mutated using AFLNET's bit-level, byte-level, and message-level mutation strategies, starting from that position, to generate a new message sequence M'.
[0091] S2.5 Protocol Testing
[0092] Each message in M' obtained in step S2.4 is sent to the protocol entity under test in sequence for testing; if a vulnerability is triggered during the test, then M' is saved for vulnerability reproduction after the test is completed.
[0093] The information feedback and analysis module is used to collect feedback information using AFLNET. The feedback information includes code coverage information and status feedback information of the tested protocol entity.
[0094] If new code overriding or a new state newState is generated, then M' is interesting, and the new state newState is saved to the state_ids array and the process proceeds to step S4;
[0095] Otherwise, if no new code overwrite or new state is generated, discard M' and proceed to step 2.2;
[0096] The message sequence attribution module is used for the following steps:
[0097] S4.1 Message Sequence Attribution
[0098] Extract the state sequence corresponding to the interesting M' in step S3
[0099] state_sequence={S1,...,S e ,...,S d},
[0100] Among them, S e This represents the e-th protocol state, where e = 1, ..., d, and d is the number of states in the state sequence state_sequence.
[0101] Calculate the preference degree for each state in the state sequence state_sequence;
[0102] Add M' to the message sequence pool maintained by the state with the highest preference.
[0103] The preference degree is used to measure the benefit that ambiguity can bring to a single message sequence under different states; the preference degree is calculated by multiplying the position of each state in the state sequence state_sequence and the value score of that state.
[0104] The state S at the position of the state sequence state_sequence t PreferenceValue(S)t The calculation formula for ) is as follows:
[0105] PreferenceValue(S t ) =
[0106] Among them, StateScore(S t ) is state S t The value score is calculated using the following formula:
[0107] StateScore(S t ) =
[0108] Where selected_times represents the number of times the state is selected; fuzzs represents the number of message sequences generated in the state; and paths represents the number of new state transitions generated in the state.
[0109] If multiple states appear in the state sequence state_sequence, the preference scores generated by these repeated states are summed to obtain the overall preference score for that state.
[0110] After the above operation of reassigning message sequence M', proceed to step 2.2 to perform the next round of protocol fuzz testing.
[0111] The beneficial effects of this invention are:
[0112] 1. This invention employs a network protocol vulnerability detection method and system based on message sequence assignment optimization. It defines a preference concept to measure the fuzzy benefit a message sequence can bring to each state. A message sequence assignment algorithm is proposed and combined with the preference concept to reassign interesting message sequences, ensuring that each message sequence is added to the optimal message sequence pool and maximizing the fuzzing benefit. An evaluation function is constructed using feedback information from multiple dimensions to more accurately describe the true potential of each message sequence. Furthermore, a mutation point analyzer is proposed to help the fuzzer filter out already mutated positions and instead mutate other, more interesting positions. This method effectively solves the problems existing in current network protocol fuzzing tools when assigning message sequences.
[0113] 2. Using the method of the present invention, within the same testing time, it is possible to explore more and deeper layers of code in network protocol entity programs and explore deeper layers of protocol states, and discover more security vulnerabilities, that is, improve the testing capability of the fuzzer. Attached Figure Description
[0114] Figure 1 This is a design framework diagram of the present invention;
[0115] Figure 2 This is an overall flowchart of the present invention;
[0116] Figure 3 for Figure 2 Flowchart of the protocol fuzz testing phase;
[0117] Figure 4 This is a schematic diagram of the system of the present invention. Detailed Implementation
[0118] The technical solution of the present invention will now be described in full with reference to the accompanying drawings and implementation process.
[0119] like Figure 1 The diagram shown illustrates the system framework of this invention, encompassing the specific implementation of the actual architecture of the entire network protocol fuzzy method. For example... Figure 2 As shown, the network protocol vulnerability detection method and system based on message sequence attribution optimization is mainly divided into four stages: test preparation stage, protocol fuzzing stage, information feedback and analysis stage, and message sequence attribution stage.
[0120] 1. Test Preparation Phase
[0121] This phase involves preprocessing operations before protocol testing, including compiling and instrumenting the protocol entity program under test and preparing an initial set of message sequences. The specific details are as follows:
[0122] 1.1 Compiler instrumentation
[0123] The protocol entity program under test is compiled and instrumented using the mutation instrumentation tool afl-clang-fast++ to generate the target code of the protocol under test, which facilitates the collection of code coverage information and state information during the runtime of the protocol entity.
[0124] 1.2 Constructing the initial message sequence set
[0125] First, start the target code of the protocol under test and its corresponding communication terminal, and start communication.
[0126] Then, use the packet sniffing tool tcpdump to monitor all traffic on the port corresponding to the protocol entity.
[0127] And these traffic flows are collected and stored.
[0128] Finally, the captured traffic was parsed using the packet analysis tool Wireshark, and all request message sequences were extracted as the initial message sequence set MSeqSet, where MSeqSet = {M1, ..., M...} u ,...,Md}, M u This refers to the u-th message sequence in MSeqSet, where u = 1, ..., d, and d is the total number of message sequences. A message sequence is a linked list of messages, i.e., M... u =m u,1 ->...->m u,y ->...->m u,a m u,y Let y represent the y-th message in the u-th message sequence, where y = 1, ..., a, and a is M. u Total number of messages.
[0129] 2. Protocol Fuzz Testing Phase
[0130] like Figure 3 The flowchart shown illustrates the fuzzing phase of the protocol. First, several parameters need to be initialized: a state array and a message sequence pool maintained by each state. Next, a target state to be tested is randomly selected from the state array. Then, the message sequence with the highest value score is selected from the message sequence pool or message sequence set MSeqSet maintained by the selected target state, and mutated to generate a new message sequence. Finally, the newly generated message sequence is sent to the protocol entity program for testing. Specifically, this includes the following:
[0131] 2.1 Initialization Parameters
[0132] Perform a protocol fuzz test on each message sequence in the initial message sequence set MSeqSet from step 1.2, collect the generated protocol states and store them in the global variable state_ids array, state_ids={S1,...,S i ,...,S n}, S i Let S represent the i-th protocol state, where i = 1, ..., n, and n is the total number of protocol states. Simultaneously, for each state S... i Initialize and create a message sequence pool (Pool) i ={M i,1 ,...,M i,j ,...,M i,k}, Pool i Represents the message sequence pool maintained by the i-th protocol state, and Pool i Each message in the protocol entity program is able to reach state S. i M i,j This represents the j-th message in the message sequence pool, where j = 1, ..., k, and k is the total number of messages in the message sequence pool.
[0133] 2.2 Selecting the target state
[0134] like Figure 1 The target state selector shown randomly selects one state as the target state S for the protocol fuzz test from all states in the state_ids state array in step 2.1. q q=1,...,n, where n is the total number of protocol states.
[0135] 2.3 Selecting a Message Sequence
[0136] like Figure 1 The message sequence selector shown is based on the target state S selected in step 2.2. q .
[0137] If the target state S q The message sequence pool maintained q If the message sequence set MSeqSet is empty, then a random message sequence set MSeqSet is selected that will cause the protocol entity program to reach the target state S. q Message sequence M;
[0138] Otherwise Pool q If it is not empty, then from Pool q The message sequence M with the highest evaluation value score is selected based on probability priority. The formula for calculating the evaluation value score of a message sequence is as follows:
[0139]
[0140] Here, MSeqValue refers to the evaluation value score of the message sequence, MSlen refers to the length of the message sequence, isFirst refers to whether the message sequence is being fuzzed for the first time, with a value of 0 or 1; InterestedCnt refers to the number of interesting message sequences generated by mutating the current message sequence; and chosenCnt refers to the number of times the current message sequence has been selected.
[0141] 2.4 Mutation Message Sequence
[0142] like Figure 1 The message sequence mutant and mutation point analyzer shown are based on the message sequence M from step 2.3 and the target state S selected in step 2.2. q The mutation point analysis algorithm is used to locate the mutation points, and then mutation is performed starting from these locations. The specific details are as follows:
[0143] First, obtain the state sequence MStateSequence={S1,...,S} corresponding to M. b ,...,S w}, b=1,...,w, w is the length of MStateSequence, and the corresponding marker array Mark={false1,...,true} for MStateSequence. g ,...,false w1}, g=1,...,w1, w1 is the length of the Mark array, true indicates that it has been mutated and tested, false indicates that it has not been mutated and tested.
[0144] Then, iterate through the entire state sequence MStateSequence to find the state S. q The same array index that is false in the Mark array is set to true, and the message sequence M is mutated using AFLNET's bit-level, byte-level, and message-level mutation strategies, starting from that position, to generate a new message sequence M'.
[0145] The pseudocode for the mutation point analysis algorithm mentioned above is as follows:
[0146]
[0147] 2.5 Protocol Testing
[0148] Each message in M' generated in step 2.4 is sent sequentially to the protocol entity under test for testing. If a vulnerability is triggered during the test, M' is saved for vulnerability reproduction after the test is completed.
[0149] 3. Information Feedback and Analysis Stage
[0150] This phase is used to collect code coverage and status feedback information generated during the runtime of the protocol entity under test, and to determine whether the current test message sequence M' is an interesting message sequence. Specifically, it includes the following:
[0151] 3.1 Collect feedback information
[0152] The methods used by AFLNET are used to collect feedback information, including code coverage information and status feedback information of the protocol entity under test.
[0153] If new code overwriting or a new state newState is generated, it indicates that M' is interesting. At the same time, the new state newState is saved to the state_ids array, and the process proceeds to step 4 to enter the message sequence attribution stage.
[0154] Otherwise, if neither new code overwriting nor new state is generated, M' is discarded, and the process proceeds to step 2.2 for the next round of protocol fuzz testing.
[0155] 4. Message sequence attribution phase
[0156] like Figure 1 The message sequence attribution analyzer shown in this stage reassigns the message sequences M' deemed interesting in step 3.1 to the optimal message sequence pool, thereby improving the efficiency of fuzz testing. Specifically, it includes the following:
[0157] First, extract the state sequence corresponding to M': state_sequence={S1,...,S e ,...,S d}, S e This represents the e-th protocol state, where e = 1, ..., d, and d is the number of states in state_sequence.
[0158] Next, the preference score is calculated for each state in the state_sequence. If the same state appears in the state_sequence, the preference scores of that state are accumulated.
[0159] Finally, M' is added to the message sequence pool maintained by the state with the highest preference.
[0160] Specifically, preference is a newly defined concept in this invention, intended to measure the benefits that can be derived from ambiguity in different states of a single message sequence. The preference is calculated by multiplying the position of each state in the state sequence by the value score of that state.
[0161] Specifically, state S t The value score is calculated as follows:
[0162] StateScore(S t ) =
[0163] Among them, StateScore(S t ) represents state S t The value score; selected_times indicates the number of times the state was selected; fuzzs indicates the number of message sequences generated in the state; paths indicates the number of new state transitions generated in the state.
[0164] Specifically, the state S at the position in the state sequence state_sequence t PreferenceValue(S) t The calculation formula for ) is as follows:
[0165] PreferenceValue(S t ) =
[0166] Among them, PreferenceValue(S t ) represents state S t The preference degree, where position is state S. t The position within the state sequence state_sequence, StateScore(S t ) is state S t The value score. If multiple states appear repeatedly in the state sequence, the preference scores generated by these repeated states are summed to obtain the overall preference score for that state.
[0167] After the above operation of reassigning message sequence M', proceed to step 2.2 to perform the next round of network protocol fuzz testing.
[0168] The specific pseudocode for the message sequence attribution algorithm described above is as follows:
[0169]
[0170] To verify the effectiveness of the method of this invention, a QFuzzer prototype was implemented based on AFLNET, and experimental verification was conducted on protocol entity programs such as dnsmasq (DNS protocol), tinydtls (DTLS protocol), and Live555 (RTSP protocol). The experimental test lasted for 24 hours. The control group used three mainstream blurrs: AFLNET, StateAFL, and AFLNWE, and each group of experiments was repeated three times, with the final results averaged. In the experiment, this paper selected two indicators to measure the effectiveness of the method: the number of vulnerabilities discovered and the number of paths covered. The first indicator represents the number of vulnerabilities discovered by the protocol blurr within a specified time, representing the blurr's vulnerability discovery capability. The second indicator represents the number of paths in the target program that the test input generated by the blurr can cover within a specified time, reflecting the blurr's ability to explore code. The final experimental results are shown in Tables 1 and 2. The results show that the method of this invention is superior to the other blurrs in terms of both the number of vulnerabilities and the code coverage capability.
[0171] Table 1 Comparison of Experimental Results Regarding the Number of Vulnerabilities Discovered
[0172]
[0173] Table 2 Comparison of Experimental Results for Path Coverage Quantity
[0174]
[0175] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principle of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.
Claims
1. A network protocol vulnerability detection method based on message sequence attribution optimization, characterized in that, Includes the following steps: S1 obtains the target code of the protocol under test, uses the protocol under test to communicate, collects communication traffic, and generates an initial message sequence set. S2 performs fuzz testing on the protocol under test based on the initial message sequence set; Step S2 includes the following steps: S2.1 Initialization Parameters Construct a global variable array `state_ids`, perform protocol tests on each message sequence in the initial message sequence set `MSeqSet` obtained in step S1, collect the protocol states reached by the protocol entity program, and store them in the global variable array `state_ids`, where `state_ids={S1,...,S...}`. i ,...,S n }, Among them, S i Let i represent the i-th protocol state, i=1,...,n, where n is the total number of protocol states; For each state S i Initialize and create a message sequence pool (Pool) i ={M i,1 ,...,M i,j ,...,M i,k }, where Pool i Represents the message sequence pool maintained by the i-th protocol state, and Pool i Each message in the protocol protocol enables the protocol entity program to reach protocol state S. i M i,j This represents the j-th message in the message sequence pool, where j = 1, ..., k, and k is the total number of messages in the message sequence pool. S2.2 Select target state From all protocol states in the state_ids array obtained in step S2.1, randomly select one protocol state as the target state S for protocol fuzzing. q , q=1,...,n, Where n is the total number of protocol states; S2.3 Select Message Sequence If the target state S q The message sequence pool maintained q If the message sequence set MSeqSet is empty, then a random message sequence set MSeqSet is selected that will cause the protocol entity program to reach the target state S. q Message sequence M; Otherwise, Pool q If it is not empty, then from Pool q The message sequence M with the highest evaluation value score is selected. The formula for calculating the evaluation value score of a message sequence is as follows: ; Here, MSeqValue refers to the evaluation value score of the message sequence, MSlen refers to the length of the message sequence; isFirst refers to whether the message sequence is being fuzz tested for the first time, with a value of 0 or 1; InterestedCnt refers to the number of interesting message sequences generated by mutating the current message sequence; chosenCnt refers to the number of times the current message sequence has been selected. S2.4 Mutation Message Sequence Based on the message sequence M obtained in step S2.3 and the target state S selected in step S2.2 q ; The mutation point analysis algorithm is used to find the location of the mutation point, and then mutation is performed starting from the mutation point location. The specific content is as follows: First, obtain the state sequence MStateSequence={S1,...,S} corresponding to M. b ,...,S w The corresponding marker array Mark={false1,...,true} and MStateSequence g ,...,false w1 }, Where b=1,...,w,w is the length of MStateSequence, g=1,...,w1,w1 is the length of Mark array, true indicates that it has been mutated and tested, false indicates that it has not been mutated and tested; Then, iterate through the entire state sequence MStateSequence to find the state S. q The same array index that is false in the Mark array is set to true, and the message sequence M is mutated using AFLNET's bit-level, byte-level, and message-level mutation strategies, starting from that position, to generate a new message sequence M'. S2.5 Protocol Testing Each message in M' obtained in step S2.4 is sent to the protocol entity under test in sequence for testing; if a vulnerability is triggered during the test, then M' is saved for vulnerability reproduction after the test is completed. S3 uses AFLNET to collect feedback information, which includes code coverage information and status feedback information of the protocol entity under test. If new code overriding or a new state newState is generated, then M' is interesting, and the new state newState is saved to the state_ids array and the process proceeds to step S4; Otherwise, if no new code overwrite or new state is generated, discard M' and proceed to step S2.2; S4 is based on the message sequence that was determined to be interesting in step S3; Step S4 includes the following steps: S4.1 Message sequence attribution Extract the state sequence corresponding to the interesting M' in step S3 state_sequence={S1,...,S e ,...,S d }, Among them, S e This represents the e-th protocol state, where e = 1, ..., d, and d is the number of states in the state sequence state_sequence. Calculate the preference degree for each state in the state sequence state_sequence; Add M' to the message sequence pool maintained by the state with the highest preference. The preference degree is used to measure the benefit that ambiguity can bring to a single message sequence under different states; the preference degree is calculated by multiplying the position of each state in the state sequence state_sequence and the value score of that state. The state S at the position of the state sequence state_sequence t PreferenceValue(S) t The calculation formula for ) is as follows: PreferenceValue(S t ) = ; Among them, StateScore(S t ) is state S t The value score is calculated using the following formula: StateScore(S t ) = ; Where selected_times represents the number of times the state is selected; fuzzs represents the number of message sequences generated in the state; and paths represents the number of new state transitions generated in the state. If multiple states appear in the state sequence state_sequence, the preference scores generated by these repeated states are summed to obtain the overall preference score for that state. After the above operation of reassigning message sequence M', proceed to step S2.2 to perform the next round of protocol fuzz testing.
2. The network protocol vulnerability detection method based on message sequence attribution optimization according to claim 1, characterized in that, In step S1, obtaining the target code of the protocol under test specifically includes the following steps: Obtain the entity program of the protocol under test, and use the compiler instrumentation tool afl-clang-fast++ to compile and instrument the entity program of the protocol under test to generate the target code of the protocol under test. The communication using the protocol under test includes: Start the target code of the protocol under test and its corresponding communication terminal, and initiate communication; The collection of communication traffic includes: using the packet sniffing tool tcpdump to listen to all traffic on the port corresponding to the protocol entity, and collecting and storing this traffic; The generation of the initial message sequence set includes: using the packet analysis tool Wireshark to parse the collected and saved traffic and extracting all request message sequences as the initial message sequence set MSeqSet, where MSeqSet={M1, ..., M...} u ,...,M d } Where M u This refers to the u-th message sequence in MSeqSet, where u = 1, ..., d, and d is the total number of message sequences. The message sequence refers to a linked list of messages, i.e., M... u =m u,1 ->...->m u,y ->...->m u,a m u,y Let y represent the y-th message in the u-th message sequence, where y = 1, ..., a, and a is M. u Total number of messages.
3. A network protocol vulnerability detection system based on message sequence attribution optimization, used to execute the network protocol vulnerability detection method as described in claim 1 or 2, characterized in that: It includes a test preparation module, a protocol fuzz testing module, an information feedback and analysis module, and a message sequence attribution module; the test preparation module is used to execute step S1, the protocol fuzz testing module is used to execute step S2, the information feedback and analysis module is used to execute step S3, and the message sequence attribution module is used to execute step S4.