Many protocol implementations are reactive systems, where the process is in continuous interaction with other processes and environment. If a bug can be exposed only certain state, fuzzer needs to provide specific sequence of events as inputs that would take into this state before manifested. We call these bugs "stateful" bugs. Usually, when we testing implementation, do not have detailed formal specification rely upon. Without knowledge protocol, it inherently difficult for discover such stateful A key challenge then cover space without an explicit protocol. In work, posit manual annotations identification avoided fuzzing. Specifically, on programmatic intuition variables used often appear enum type whose values (the names) come from named constants. our analysis Top-50 most widely open-source implementations, found every implementation uses assigned constants (with easy comprehend names INIT, READY) represent current state. propose automatically identify track them during fuzzing produce "map" explored space. Our experiments confirm discovers twice fast baseline greybox extended. Starting initial exercises one order magnitude more state/transition sequences covers code two times faster than fuzzer. Several zero-day prominent were by fuzzer, 8 CVEs been assigned.

Load

Load