EPF: An Evolutionary, Protocol-Aware, and Coverage-Guided Network Fuzzing Framework

Abstract

Network fuzzing is a complex domain requiring fuzzers to handle highly structured input and communication schemes. In fuzzer development, such protocol-dependent semantics usually cause a focus on applicability: Resulting fuzz engines provide powerful APIs to add new protocols but rarely incorporate algorithmic fuzz improvements like the successful coverage-guidance. This paper aims to combine applicability and well-established algorithms for increased network fuzzing effectiveness. We introduce EPF, a coverage-guided and protocol-aware network fuzzing framework. EPF uses population-based simulated annealing to heuristically schedule packet types during fuzzing. In conjunction with a genetic algorithm that uses coverage metrics as fitness function, the framework steers input generation towards coverage maximization. Users can add protocols by defining packet models and state graphs through a Scapy-powered API. We collect first data in a case study on fuzzing the IEC 60870-5-104 SCADA protocol and compare EPF with AFLNet. Based on a total of 600 CPU days of fuzzing, we measure effectiveness using bug and coverage metrics. We report promising results that a) indicate similar performance to AFLNet without any optimizations and b) point out the potential and shortcomings of our approach.