Network-facing applications are commonly exposed to all kinds of attacks, especially when connected to the internet. As a result, web servers like Nginx or client applications such as curl make every effort to secure and harden their code to rule out memory safety violations. One would expect this to include regular fuzz testing, as fuzzing has proven to be one of the most successful approaches to uncovering bugs in software. Yet, surprisingly little research has focused on fuzzing network applications. When studying the underlying reasons, we find that the interactive nature of communication, its statefulness, and the protection of exchanged messages render typical fuzzers ineffective. Attempts to replay recorded messages or modify them on the fly only work for specific targets and often lead to early termination of communication. In this paper, we discuss these challenges in detail, highlighting how the focus of existing work on protocol state space promises little relief. We propose a fundamentally different approach that relies on fault injection rather than modifying messages. Effectively, we force one of the communication peers into a weird state where its output no longer matches the expectations of the target peer, potentially uncovering bugs. Importantly, this weird peer can still properly encrypt/sign the protocol message, overcoming a fundamental challenge of current fuzzers. In effect, we leave the communication system intact but introduce small corruptions. Since we can turn either the server or the client into the weird peer, our approach is the first that can effectively test client-side network applications. Evaluating 16 targets, we show that Fuzztruction-Net outperforms other fuzzers in terms of coverage and bugs found. Overall, Fuzztruction-Net uncovered 23 new bugs in well-tested software, such as the web servers Nginx and Apache HTTPd and the OpenSSH client.

翻译：面向网络的应用程序通常暴露在各种攻击之下，尤其是在连接到互联网时。因此，像 Nginx 这样的 Web 服务器或 curl 这样的客户端应用程序都竭尽全力加固其代码，以排除内存安全问题。人们可能会期望这包括常规的模糊测试，因为模糊测试已被证明是发现软件缺陷最成功的方法之一。然而，令人惊讶的是，专注于网络应用模糊测试的研究却很少。在研究其根本原因时，我们发现通信的交互性、其状态性以及对交换消息的保护使得典型的模糊测试工具效率低下。尝试重放记录的消息或动态修改它们仅适用于特定目标，并且常常导致通信过早终止。在本文中，我们详细讨论了这些挑战，强调了现有工作对协议状态空间的关注难以带来实质性改善。我们提出了一种根本不同的方法，该方法依赖于故障注入而非修改消息。实际上，我们迫使通信对等体中的一个进入一种异常状态，使其输出不再符合目标对等体的预期，从而可能发现缺陷。重要的是，这个异常对等体仍然能够正确地加密/签署协议消息，克服了当前模糊测试工具的一个根本性挑战。实际上，我们保持了通信系统的完整性，但引入了微小的数据损坏。由于我们可以将服务器或客户端中的任何一个转变为异常对等体，因此我们的方法是首个能够有效测试客户端网络应用的方法。通过对 16 个目标进行评估，我们表明 Fuzztruction-Net 在覆盖率和发现的缺陷数量方面均优于其他模糊测试工具。总体而言，Fuzztruction-Net 在经过了充分测试的软件中发现了 23 个新缺陷，例如 Web 服务器 Nginx 和 Apache HTTPd 以及 OpenSSH 客户端。