Vivek Jain, Faraz Qadri & Aniket Malatpure, Microsoft
Fuzzing is a commonly deployed testing strategy to uncover security vulnerabilities. Measuring coverage and assessing fuzzing effectiveness add significant value to the fuzzing process. Metrics like interface coverage, input space coverage, code coverage (code volume, cyclomatic complexity, defect density, known vulnerability density, tool soundness) have been proposed for the above. However, there is a dearth of industry case studies that show application of such metric-driven fuzzing approaches to standard network protocols. Hence, security practitioners lack step by step guidance to define metrics for planning and executing a fuzzing project.
This paper introduces a metric-driven fuzzing strategy and shows its application to standard network protocols. The strategy is a stage-based approach, which starts by evaluating the system as a black box, to analyze attack surface and attack vectors in common usage scenarios. In the next stage, the system is explored from a white box perspective and blocks of code that consume untrusted data are identified. In the third stage, tools are developed to cover both black box and white box scenarios. Metrics relevant to each stage are created. In the final stage, these metrics become the driving factor to track progress, measure coverage and continually improve the fuzzing process.
We present a case study that applied this fuzzing strategy to three different network protocols (SMB, NFS & iSCSI). Being able to create metrics early in each stage helped our fuzzing efforts effectively meet the exit criteria. This approach also helped uncover different classes of security vulnerabilities that were not exposed by prior methods. Furthermore, the generic nature of this fuzzing strategy enables it to be used as a template for fuzzing most network protocols.