Bitstream Fuzzing: Inspiration, Learning, Development, and Challenges

Inspiration

Our project was inspired by the need for more targeted, low-level fuzzing techniques in cybersecurity. While many fuzzers operate at the application level, we wanted to explore vulnerabilities directly at the bitstream level—targeting the raw bits of a network packet. This approach is designed to uncover hidden issues, such as buffer overflows and memory corruptions, that high-level fuzzing often misses. We also saw real-world applications in the security of IoT networks, where packet-based attacks could compromise critical systems, such as smart home security.

What We Learned

Through this project, we gained an in-depth understanding of network protocols, packet structures, and the complexities of low-level manipulation. We also improved our skills in Linux, Python, Docker, and packet manipulation with Scapy. Additionally, our work with mutation strategies led to a better understanding of how evolutionary algorithms can enhance fuzzer effectiveness.

Building the Project

• Development Stack: We developed the fuzzer in Linux, using Python, Scapy for packet manipulation, and Docker for containerization. Our test environment included a master server, a custom HTTP server, and a logging setup to monitor crashes.
• Mutation Technique: The core of our project was our innovative mutation approach. We focused on bit-level mutations, targeting the two most distinct mutated bitstreams from each generation and generating offspring from them. These offspring were then sent back into the server to test for crashes, iterating until a crash was detected.
• Architecture: The virtual network we set up included a master server, HTTP server, and shared logging volumes, enabling a controlled test environment. Though we initially explored machine learning models for packet analysis, we ultimately prioritized bitstream manipulation due to time constraints.

Challenges Faced

1. System Defenses: We encountered challenges with detecting direct buffer overflows due to the server’s defense mechanisms, including partitioned memory and canary bits. Even after disabling some defenses, the system prevented our bitstream fuzzer from executing certain crash attempts. However, we verified our code would effectively detect vulnerabilities in an unprotected environment.
2. Learning Curve: Initially, we planned to analyze packet attributes with a Gaussian Mixture Model but pivoted after realizing the time and complexity involved. Similarly, attempts to use neural networks for crash prediction proved too time-intensive, prompting us to focus instead on refining our mutation strategy.
3. Processing Time and Scalability: Bit-level fuzzing is exhaustive and computationally intensive, requiring high processing power and significant optimization to improve speed. Also, while our fuzzer worked well on our specific HTTP server, adapting it to other network protocols would require substantial reconfiguration.

Despite these challenges, our bitstream fuzzer successfully demonstrated a unique approach to vulnerability detection and laid a strong foundation for further exploration in low-level cybersecurity testing.

Built With

• c
• fuzzing
• linux
• networking
• python
• scapy