kth.sePublications KTH
EnglishSvenskaNorsk
121 of 2
CiteExportLink to record
Permanent link

Direct link
<<Back to result list
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Black-Box Fuzz Testing for Security in Service-Provider Networks
KTH, School of Electrical Engineering and Computer Science (EECS), Network and Systems Engineering. CDIS.ORCID iD: 0000-0002-6265-2173
2026 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

Computer networks underpin many aspects of our daily lives. Familiar servicessuch as digital payments, social networks, video streaming and messaging appswould not function without them. While the services we enjoy may seem stableon the surface, underneath the hood they are ever-changing: components arereplaced, networks are rebuilt and source code is rewritten. Similarly, thethreat posed by malicious actors is also in constant motion. What is consideredsecure today may not be secure tomorrow. This is especially true for softwarecomponents. Therefore, software security testing is necessary to ensure that aservice poses no risk to its operators nor its end-users.

A critical step in developing secure software is discovering previously unknownvulnerabilities. Fuzz testing, or fuzzing, is a state-of-the-art techniquefor preventing insecure software from being taken into production. One form offuzz testing that has received great interest in recent years is grey-boxfuzzing. Unfortunately, some systems are not well-suited for this type oftesting. Implementation aspects such as programming language, statefulness,network connectivity and source-code availability can make grey-box fuzzingdifficult. Consequently, not all types of vulnerabilities are discoverable withthis technique.

In this thesis, I investigate a different approach to fuzzing: black-boxfuzzing. As the name suggests, black-box fuzzing does not depend onimplementation details about the target system. While this allows for testinga wider range of systems, it also pays a price by sacrificing speed and testcoverage. However, if the black-box fuzzer can find vulnerabilities that agrey-box fuzzer cannot, it might be worth the price. The results I present inthis thesis show that by incorporating elements from reinforcement learning andweb crawling, black-box fuzzing can be used where grey-box fuzzing falls shortto discover previously unknown vulnerabilities in real-world networkingsoftware.
Abstract [sv]

Datornätverk utgör grunden i många av våra vardagliga handlingar. Tjänstersåsom digitala betalningar, sociala nätverk, strömmad video ochdirektmeddelanden är helt beroende av dem. Trots att tjänsterna vi nyttjarger ett stabilt intryck befinner de sig i ständig förändring under huven:komponenter byts ut, nätverk förändras och källkod skrivs om. På samma sätt ärhotet från illasinnade aktörer i ständig rörelse. Det som betraktas som säkertidag kanske inte är det imorgon. För mjukvarukomponenter är detta särskiltpåtagligt och därför är säkerhetstestning av mjukvara nödvändigt för atten tjänst inte ska utgöra en risk för dess slutanvändare eller operatörer.

Ett kritiskt steg för att utveckla säker mjukvara är att upptäcka hittillsokända sårbarheter. Fuzztestning, eller fuzzing, är den främsta teknik vi haridag för att förhindra att osäker mjukvara tas i produktionsdrift. En sortsfuzztestning som har krönts med stora framgångar under de senaste åren ärgrey-box fuzzing. Dessvärre lämpar sig vissa system dåligt för denna typ avtestning. Implementationsaspekter såsom programspråk, tillståndsmodell,nätverkskonnektivitet och källkodens tillgänglighet kan försvåra grey-boxfuzzing. Således kan vissa typer av sårbarheter inte upptäckas med dennateknik.

I denna avhandling undersöker jag en alternativ metod för fuzzning: black-boxfuzzing. Som namnet antyder betraktar man med denna metod systemet som skatestas som en svart låda, en enhet vars implementation är okänd för oss somtestare. Detta har fördelen att metoden kan användas för att testa en störrebredd av system men man betalar ofta ett pris för detta i form avexekveringshastighet och testtäckning. Men om en black-box fuzzer hittarsårbarheter som en grey-box fuzzer missar så kan det vara värt priset.Resultaten som jag presenterar i denna avhandling visar att black-box fuzzingkan kombineras med förstärkningsinlärning och web crawling. På så sätt kantekniken täcka upp för tillkortakommanden hos grey-box fuzzing och upptäckatidigare okända sårbarheter i mjukvara för datornätverk.
Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2026. , p. xii, 44
Series
TRITA-EECS-AVL ; 2026:12
Keywords [en]
Cyber Security, Security Testing, Vulnerability Discovery, Fuzz Testing, Computer Networks, Network Protocols, Software Engineering
Keywords [sv]
Cybersäkerhet, Säkerhetstestning, Sårbarhetsupptäckt, Fuzztestning, Datornätverk, Nätverksprotokoll, Mjukvaruteknik
National Category
Computer Sciences
Research subject
Information and Communication Technology
Identifiers
URN: urn:nbn:se:kth:diva-376850ISBN: 978-91-8106-519-0 (print)OAI: oai:DiVA.org:kth-376850DiVA, id: diva2:2039840
Presentation
2026-03-17, https://kth-se.zoom.us/j/65756749078, Lindstedtsvägen 5, Room D37, Stockholm, 10:00 (English)
Opponent
Supervisors
Note

QC 20260219

Available from: 2026-02-19 Created: 2026-02-18 Last updated: 2026-03-02Bibliographically approved
List of papers
1. Squashing Resource Exhaustion Bugs with Black-Box Fuzzing and Reinforcement Learning
Open this publication in new window or tab >>Squashing Resource Exhaustion Bugs with Black-Box Fuzzing and Reinforcement Learning
2023 (English)In: 2023 7th International Conference on System Reliability and Safety, ICSRS 2023, Institute of Electrical and Electronics Engineers (IEEE) , 2023, p. 439-448Conference paper, Published paper (Refereed)
Abstract [en]

For a software system to be reliable, it must manage its resources properly. Failure to do so will result in unreliable behaviour: an application that leaks memory will eventually crash, a packet source that overloads a queue may cause other systems to fail, a process that consumes too many CPU cycles will degrade the performance of other processes and so on. Resource leaks or resource exhaustion are difficult to discover during testing as it may happen slowly over a long time. One approach for discovering issues with reliability, security and robustness is fuzzing (short for fuzz testing). Fuzzing can take many forms, depending on what type of system is to be tested and what kinds of bugs one is after. Black-box fuzzing is arguably the most flexible approach to fuzzing. Unfortunately, it suffers from a low efficiency that makes it slow at finding bugs such as resource leaks. In this paper we explore the topic of black-box fuzzing by modeling it as a multi-armed bandit problem, an important subclass of the general reinforcement learning problem. We believe that by utilizing a reinforcement learning framework, black-box fuzzing can be better understood and attention can be drawn to the field, which deserves to be studied more. We also implement a fuzzer according to our model and evaluate it against a toy implementation of a simple protocol with a known resource leak. Lastly, we apply our fuzzer in a real-world case study against two widely distributed implementations of the Link Layer Discovery Protocol (LLDP), a key component in critical infrastructure applications such as network management and network automation. Our results show that our fuzzer gradually learns how to effectively trigger the resource leak in the toy implementation, thereby speeding up the bug discovery process. In the case study, the fuzzer struggles to learn from the observations it makes about the test target. We believe this to be because of excessive delays between the actions the fuzzer takes during testing and their corresponding effects. Despite this, our fuzzer still manages to find one resource leak in each of the two LLDP implementations, one of which was previously unknown. With this paper, we have taken the first steps towards a better understanding of black-box fuzzing and that a new generation of smart and highly efficient black-box fuzzers is within reach.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2023
Keywords
Cybersecurity, Fuzz Testing, Reinforcement Learning, Resource Exhaustion
National Category
Computer Sciences Software Engineering
Identifiers
urn:nbn:se:kth:diva-343177 (URN)10.1109/ICSRS59833.2023.10381445 (DOI)2-s2.0-85183463254 (Scopus ID)
Conference
7th International Conference on System Reliability and Safety, ICSRS 2023, Bologna, Italy, Nov 22 2023 - Nov 24 2023
Note

QC 20240208

Part of ISBN 979-8-3503-0605-7

Available from: 2024-02-08 Created: 2024-02-08 Last updated: 2026-02-18Bibliographically approved
2. Fuzz Testing for Code Injection Vulnerabilities in Network Management Systems
Open this publication in new window or tab >>Fuzz Testing for Code Injection Vulnerabilities in Network Management Systems
2024 (English)In: 2024 8th International Conference on System Reliability and Safety, ICSRS 2024, Institute of Electrical and Electronics Engineers (IEEE) , 2024, p. 529-536Conference paper, Published paper (Refereed)
Abstract [en]

To handle the complexity of modern technical systems, the operator often relies on some kind of graphical user interface software. Such software typically provides statistics, visualization and remote management capabilities to the operator. Today, this software is usually implemented using various web technologies. This lets operators monitor and manage the system in question with a tool familiar to most people today, namely their web browser. Unfortunately, web technology comes with plenty of intricate and unexpected caveats and flaws that can lead to unpredictable and sometimes even insecure behavior. In this paper, we focus on how one such obscure flaw, cross-channel scripting, can affect communications and service-provider networks. We provide a testing framework for detecting such flaws and use it to test four different open-source network management systems. Three vulnerabilities were found and acknowledged and fixed by the developers and one CVE was assigned.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2024
Keywords
Code Injection, Cybersecurity, Fuzz Testing, Web Security
National Category
Computer Sciences Computer Systems
Identifiers
urn:nbn:se:kth:diva-367476 (URN)10.1109/ICSRS63046.2024.10927541 (DOI)2-s2.0-105003291353 (Scopus ID)
Conference
8th International Conference on System Reliability and Safety, ICSRS 2024, Sicily, Italy, November 20-22, 2024
Note

Part of ISBN 9798350354508

QC 20250718

Available from: 2025-07-18 Created: 2025-07-18 Last updated: 2026-02-18Bibliographically approved
3. Black-Box Fuzzing for Security in Managed Networks: An Outline
Open this publication in new window or tab >>Black-Box Fuzzing for Security in Managed Networks: An Outline
2023 (English)In: IEEE Networking Letters, E-ISSN 2576-3156, Vol. 5, no 4, p. 241-244Article in journal (Refereed) Published
Abstract [en]

Service providers are adopting open-source technology and open standards in their next-generation networks. This gives them great flexibility and spurs innovation. But it also means that they must ensure proper interoperability between components; otherwise, vulnerabilities might get introduced in their networks. Unfortunately, state-of-the-art vulnerability scanning tools are unable to handle the complexity of service provider networks. In this letter we show how interoperability issues between seemingly reliable components introduce an injection vulnerability that allows us to control a firewall-protected network management system. We also extend the state-of-the-art in black-box fuzzing to give service providers a tool for combating similar issues.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2023
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-376829 (URN)10.1109/lnet.2023.3286443 (DOI)001556071500023 ()2-s2.0-85183466608 (Scopus ID)
Note

QC 20260218

Available from: 2026-02-18 Created: 2026-02-18 Last updated: 2026-02-18Bibliographically approved
4. Measuring the Impact of Fuzzing Activity in Networking Software - Extended
Open this publication in new window or tab >>Measuring the Impact of Fuzzing Activity in Networking Software - Extended
2025 (English)Report (Other academic)
Abstract [en]

Fuzz testing has become the de facto standard for vulnerability discovery. State-of-the-art fuzzers employ a so-called gray-box approach,where coverage information is fed back to the fuzzer after each generated test case, thereby allowing it to effectivize its generationstrategy over time to find bugs deep within the code. Despite research efforts in recent years, networked applications have proven tobe notoriously difficult to fuzz efficiently and thoroughly. Modern fuzzers struggle with the complex environmental interactions andstatefulness associated with networked systems and subsequently, shortcuts are taken to ensure at least some degree of hardening.

In this paper we study 32 prominent protocol implementations that have been continuously fuzzed by OSS-Fuzz. We define metricsto measure fuzzing activity within a project and correlate our measurements with registered CVEs for discovered vulnerabilities. Our analysis show a strong correlation between fuzzing activity and registered CVEs within a project. However, by using the CWE-1000 analys framework, we show that the correlation is only strong for certain classes of vulnerabilities. From those observations, we areable to draw conclusions about what current fuzzing practices are lacking and where fuzzing research efforts need to be spent in thefuture.

This technical report is an extension of doi:10.1145/3672608.3707730, which has been published with ACM in the SAC 2025 conference proceedings.
Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2025. p. 13
Series
TRITA-EECS-RP ; 2025:3
Keywords
Computer network, protocol, testing, fuzz testing
National Category
Communication Systems Telecommunications Computer Sciences Computer Engineering Security, Privacy and Cryptography
Research subject
Electrical Engineering; Computer Science
Identifiers
urn:nbn:se:kth:diva-372022 (URN)
Note

This technical report is an extension of doi:10.1145/3672608.3707730, which has been published with ACM in the SAC 2025 conference proceedings.

QC 20251029

Available from: 2025-10-23 Created: 2025-10-23 Last updated: 2026-02-18Bibliographically approved

Open Access in DiVA

fulltext(471 kB)28 downloads
File information
File name FULLTEXT02.pdfFile size 471 kBChecksum SHA-512
922c11ef897e31fa751d333385ec279f8be540315347244a9df382c696dfd2eb943557fae0143cd9fecfd0a0d0805d40bef5977348cd676fc677a3d7e345fa9b
Type fulltextMimetype application/pdf

Authority records

Fernandez, Leon

Search in DiVA

By author/editor
Fernandez, Leon
By organisation
Network and Systems Engineering
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 28 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 1005 hits
121 of 2
CiteExportLink to record
Permanent link

Direct link
<<Back to result list
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub
|
About Open Access