Coverage-guided fuzzing of gRPC interface
Lappalainen, Niko (2021)
2021
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2021-03-09
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202102051948
https://urn.fi/URN:NBN:fi:tuni-202102051948
Tiivistelmä
Fuzz testing has emerged as a cost-effective method of finding security issues in many real-world targets. The software company M-Files Inc. wanted to incorporate fuzz testing to harden thesecurity of their product M-Files Server. The newly implemented gRPC API was set as the targetinterface to be fuzzed. This thesis was requested to find a suitable fuzzing tool, and to verify thatthe tool could find and report issues. Another objective of this thesis was to determine a criterionfor stopping fuzzing when adequate testing coverage has been achieved without having to run thefuzzer perpetually.
To select a suitable fuzzing tool, some requirements had to be defined. Requirements andselection criteria were set based on the properties of the M-Files system as well as the targetinterface. Next, various fuzzing tool options were gathered from different sources. These optionswere validated based on the set requirements to select a short list of tools that could be analysedmore closely. The suitable tool was selected from these based on their ease of integration andsuspected performance. The coverage-guided WinAFL was evaluated as the most suitable fromthe considered options.
The selected fuzzing tool was used to test M-Files Server in order to record its results. Thefuzzer was able to find an actual security-critical issue, which verifies the fuzzer’s ability to findand report issues. To define a stopping criterion, the fuzzer’s cumulative path coverage over timewas analysed. It was decided that the time interval between found distinct code paths would beused to determine when a fuzzing run should be stopped. The intervals observed in the resultswere studied and a maximum interval value was suggested based on when the fuzzing efficacywas observed to noticeably decrease.
To select a suitable fuzzing tool, some requirements had to be defined. Requirements andselection criteria were set based on the properties of the M-Files system as well as the targetinterface. Next, various fuzzing tool options were gathered from different sources. These optionswere validated based on the set requirements to select a short list of tools that could be analysedmore closely. The suitable tool was selected from these based on their ease of integration andsuspected performance. The coverage-guided WinAFL was evaluated as the most suitable fromthe considered options.
The selected fuzzing tool was used to test M-Files Server in order to record its results. Thefuzzer was able to find an actual security-critical issue, which verifies the fuzzer’s ability to findand report issues. To define a stopping criterion, the fuzzer’s cumulative path coverage over timewas analysed. It was decided that the time interval between found distinct code paths would beused to determine when a fuzzing run should be stopped. The intervals observed in the resultswere studied and a maximum interval value was suggested based on when the fuzzing efficacywas observed to noticeably decrease.