Abstract:Almost all of the systems which need communication are inseparable from protocol design. If the protocol stack is vulnerable, attackers can achieve denial of service attack, data theft and even remote code execution via Zero-Click. Protocol messages often have certain elements such as structure, semantics, and timing, making it challenging for general fuzzers to effectively perform fuzzing on the server. In recent years, there have been many researches on grey box protocol fuzzing, among which AFLNET is a representative one. However, the coverage of these researches on the server state machine depends on the coverage of the initial seed corpus. In this paper, we firstly analyze the defects of AFLNET in handling binary format protocols, and propose BBFuzz, a protocol fuzzer for test case generation based on manual data models. BBFuzz can quickly provide many interesting seed files for the seed queue, even with only one initial input, and these seed files can cover a more comprehensive server state. Meanwhile, BBFuzz can well support fuzzing of two different types of protocols, namely human readable ASCII format and binary format protocols. The paper implemented BBFuzz''s support for RTMP protocol, and evaluated BBFuzz on the RTMP module of two well-known streaming media software. Our evaluation results show that BBFuzz outperforms AFLNET on both map density and paths. For RTMP module, we dug two real vulnerabilities on ZLMediaKit and media-server respectively, and these two vulnerabilities have been assigned CVE number which is classified as HIGH.
