Testing network protocol implementations using fuzzers

Abstract

Among the various ways of verifying the implementation of a protocol, fuzzing tests deserve to be highlighted, given the good results achieved in recent years both in terms of covering the code that implements a protocol and in terms of finding bugs that can cause security flaws. For example, in 2017 the OSS-Fuzz fuzzer found a bug that allowed leakage of sensitive information in OpenSSL. More recently, on November 12, 2023, the same fuzzer found another bug in the same library. This research project aims to follow a generation-based fuzzer methodology, already evaluated by the responsible researcher's team, to extend the tests of an existing fuzzer to the MQTT (Message Queuing Telemetry Transport) protocol and to create a new fuzzer that tests an implementation of the recent SPDM (Security Protocol and Data Model) protocol, a protocol that defines the exchange of messages to allow secure communication between different types of devices, such as hardware components of a computer. The results obtained with the two fuzzers will be compared with the results obtained in recent projects with the participation of the advisor of this proposal. So, it will be possible to evaluate the pros and cons of an automated strategy (fuzzer-based) and a manual strategy. The expected results are a report with the performance analysis of the fuzzers, in addition to the fuzzer code for the SPDM protocol that will be made available as free software.