In-Vivo Fuzz Testing for Network Services

Wen Yang Lai, Kun Che Tsai, Che Chen, Yu Sung Wu

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Fuzz testing is typically carried out by running the target program and the fuzzing engine offline in a lab environment. The environment setup may depend on specialized test harness code to activate the target program and inject the test data. Also, due to the vast program state space, domain knowledge-dependent optimization is often needed in the environment setup to achieve reasonably efficient fuzz testing. We propose In-Vivo Fuzzing to alleviate the burdens by performing online fuzz testing on live programs. In-Vivo Fuzzing hooks I/O library calls in a live program to collect test seeds. Upon request, the In-Vivo Runtime will create a fork of the target program and carry out fuzz testing on the forked process. The runtime states from the live program provide a vantage point to start the fuzzing process, and the test seeds collected from the live workload also facilitate the generation of effective test inputs. We applied In-Vivo Fuzzing to network service programs and implemented a prototype on top of the AFL fuzzer. Experiment results indicate that In-Vivo Fuzzing can reach vulnerabilities in real-world programs much more quickly than the baseline. We also demonstrate the potential application of In-Vivo Fuzzing in detecting unknown attacks, where live attack states are captured and amplified through fuzz testing.

Original languageEnglish
Title of host publicationProceedings - 41st International Symposium on Reliable Distributed Systems, SRDS 2022
PublisherIEEE Computer Society
Pages35-45
Number of pages11
ISBN (Electronic)9781665497534
DOIs
StatePublished - 2022
Event41st International Symposium on Reliable Distributed Systems, SRDS 2022 - Vienna, Austria
Duration: 19 Sep 202222 Sep 2022

Publication series

NameProceedings of the IEEE Symposium on Reliable Distributed Systems
Volume2022-September
ISSN (Print)1060-9857

Conference

Conference41st International Symposium on Reliable Distributed Systems, SRDS 2022
Country/TerritoryAustria
CityVienna
Period19/09/2222/09/22

Keywords

  • live program
  • network services
  • Online fuzzing
  • passive fuzzing
  • production system
  • security isolation
  • zero-day vulnerability

Fingerprint

Dive into the research topics of 'In-Vivo Fuzz Testing for Network Services'. Together they form a unique fingerprint.

Cite this