Nowadays, a large number of unknown (private or semi-private) network protocols are widely adopted in newly emerging network, such as industrial control, military communications, as well as financial information, etc. Making sure the protocol goes through a set of strict tests for both design and implement before the deployment is crucial for the usability and security of network systems. To the best of our knowledge, the majority of the existing protocol test toolkits or systems is only able to be applied to known protocols, i.e. the testers know how the examined protocol works. As a direct consequence, the prevalence of unknown protocols poses a great challenge to current protocol test systems. Therefore, before we can transplant exiting test methods for known protocols to unknown ones, there are many research problems to be noticed, and among those problems, three of them are most unignorable: First, the current test is unable to estimate the architecture and semantic characteristics for unknown protocol with the network sniffer or manual inspection, which make it difficult to obtain necessary knowledge for later tests. Second, the prevailing test data generation methods are proved to be of low-hit-rate and inefficient, and the existing single-field random filling method for generating test data lacks vulnerability mining capabilities. Furthermore, due to the unknown characteristics of the protocol, it is impossible to accurately construct the data required for testing. Last but not least, the network devices running the unknown protocols are usually strictly concealed, which means that it is impossible to install the monitor proxy programs in the devices under test, which is crucial for current test systems designed for known protocols. To address above issues, we propose a novel automated fuzzing test framework for unknown protocols. The workflow of our framework is as follows: 1. precise identification of the protocol features based on the protocol reverse analysis, 2. dynamic generation of multi-dimensionally mutated test data, 3. automatic monitor for the running state of the devices under test to make sure the accuracy of the test outcome and secure the systems. Our main contributions can be concluded as follows: First, we design an automated fuzzing test framework for unknown network protocols. Second, we propose an automated reverse analysis method for unknown protocols by virtue of the novel protocol feature database. Third, we propose an innovative method to mutate test data in a multi-dimensional way. Last but not least, we present a set of active-detection methods for the test execution, following inspection and analysis. In addition, we develop UPAFuzz, an automated fuzzing test tool, and according to the experiment outcomes, it is proved that UPAFuzz can analyze characteristics of unknown protocols based on the protocol network traces and generate massive data for later test with high hit rate and low time cost. Moreover, Compared to Boofuzz, a popular open-source fuzzing test tool, UPAFuzz's memory usage is 50% of that of Boofuzz, and the time consumption for generating tens of millions of test data is only 10% of Boofuzz, which greatly improves the test efficiency and with certain versatility.

• 单位
  中国科学院大学; 北京邮电大学; 河北工业大学