So-called fuzzers are widely used in software testing. These are automated testing tools that feed programs with random or specially crafted inputs to detect unexpected behavior, crashes, or security vulnerabilities. They are particularly useful for uncovering bugs caused by unusual or edge-case inputs—issues that are often missed during standard testing. “For programs that process inputs or read files in a clearly structured way, fuzzing already works quite well. But testing network programs with fuzzers is much more complicated,” says Bars.
Network Fuzzing with Fault Injection: A New Testing Approach
Why is this the case? “Traditional fuzzers try to replace one of the communication partners in the network, but they do so rather clumsily: They have no real understanding of how to proceed. They don’t know when to send which messages, which keys or session data are required, and they can’t remember previous messages. The other side—whether client or server—eventually notices this and terminates the communication before any message can trigger a bug or expose a security vulnerability,” explains the researcher.
His approach, therefore, is not to replace one of the communication partners like conventional fuzzers do, but instead to subtly manipulate it so that it produces valid, properly encrypted, yet unexpected messages. This technique is known as fault injection. It involves deliberately introducing small errors into the program flow of the communication partner. “The best part is that we can use this method to test both servers and clients. Fuzztruction-Net is the first network fuzzer capable of doing that. Until now, such fuzzers have essentially existed only for servers,” says Bars.
Deeper Testing and New Security Vulnerabilities
In tests, the Fuzztruction-Net prototype delivered impressive results: Compared to previous methods, the new approach achieved, on average, 16 percent greater code coverage—an important metric for test depth—and uncovered three times as many bugs as the best existing network fuzzer. Fuzztruction-Net even found vulnerabilities in well-tested programs such as Nginx, the OpenSSH client, and cURL. “We focused on a specific class of bugs known as memory corruption. These are programming errors where a program modifies data in a memory region it should not have access to. This can lead to crashes, data loss, and critical security vulnerabilities,” explains Bars.
In total, the research team discovered 23 previously unknown security flaws in widely used network infrastructure—many of which can be exploited remotely—underscoring the relevance and potential of this new approach.
Helpful Insights for Developers: Fuzzstruction-Net Makes Security Flaws Reproducible
Unfortunately, fuzzers still cannot fix the bugs themselves. Developer effort is still required to track down and resolve the issues. “The key point, however, is that the bugs are reproducible. This gives developers a clear indication of where the problem arises, making it possible to fix,” explains Bars. Nginx has already expressed interest in using Fuzzstruction-Net. “Our prototype works well, but there’s certainly room for optimization before it can be used in long-term deployment,” says the researcher. The prototype is already available as open source to anyone interested.
