The emergence of Internet-connected technologies has given the world a vast number of services easily reachable from our computers and mobile devices. Web servers are one of the dominant types of computer programs that provide these services to the world by serving files and computations to connected users. Because of their accessibility and importance, web servers must be robust to avoid exploitation by hackers and other malicious users. Fuzzing is a software testing technique that seeks to discover bugs in computer programs in an automated fashion. However, most state-of-the-art fuzzing tools (fuzzers) are incapable of fuzzing web servers effectively, due to their reliance on network connections to receive input and other unique constraints they follow. Past research exists to remedy this situation, and while they have had success, certain drawbacks are introduced in the process.
To address this, we created Gurthang, a fuzzing framework that gives state-of-the-art fuzzers the ability to fuzz web servers easily, without having to modify source code, the web server's threading model, or fundamentally change the way a server behaves. We introduce novelty by providing the ability to establish and send data across multiple concurrent connections to the target web server in a single execution of a fuzzing campaign, thus opening the door to the discovery of concurrency-related bugs. We accomplish this through a novel file format and two shared libraries that harness existing state-of-the-art fuzzers.
We evaluated Gurthang by performing a research study at Virginia Tech that yielded 48 discovered bugs among 55 web servers written by students. Participants utilized Gurthang to integrate fuzzing into their software development process and discover bugs. In addition, we evaluated Gurthang against Apache and Nginx, two real-world web servers. We did not discover any bugs on Apache or Nginx, but Gurthang successfully enabled us to fuzz them without needing to modify their source code. Our evaluations show Gurthang is capable of performing fuzz-testing on web servers and discovering real bugs. / Master of Science / The Internet is widely apparent in our everyday lives. Since its creation, a wide variety of technologies and critical infrastructures have become accessible via the Internet. While this accessibility is a great boon for many, it does not come without risk. Web servers are one of the dominant types of computer programs that make the Internet what it is today; they are responsible for transmitting web pages and other files to connected users, as well as performing important computations per the user's request. Like any computer program, web servers contain bugs that may lead to vulnerabilities if exploited by a malicious user (a hacker). Considering they are open to all via the Internet, it is critical to catch and fix as many bugs as possible during a web server's development. Certain tools, called fuzzers, have been created to test computer programs in an automated fashion to discover bugs (called fuzzing, or fuzz-testing), although many of these fuzzers lack the ability to effectively test web servers due to the specific constraints a web server must follow. Previous research exists to fix this problem, but certain drawbacks are introduced in the process.
To address this, we developed Gurthang, a fuzzing framework that gives state-of-the-art fuzzers the ability to test a variety web servers, while also fixing some of these drawbacks and introducing a novel technique to test the concurrency aspects of a web server. We evaluated Gurthang against several web servers through a research study at Virginia Tech in which participating students performed fuzz-testing on web servers they implemented for their coursework. We discovered 48 bugs across 55 web servers through this study. We also evaluated Gurthang against Apache and Nginx (two web servers frequently used in the real world) and showed Gurthang is capable of fuzzing them without the need to modify their source code.
| Identifer | oai:union.ndltd.org:VTETD/oai:vtechworks.lib.vt.edu:10919/110769 |
| Date | 13 June 2022 |
| Creators | Shugg, Connor William |
| Contributors | Computer Science, Back, Godmar Volker, Hicks, Matthew, Wang, Haining |
| Publisher | Virginia Tech |
| Source Sets | Virginia Tech Theses and Dissertation |
| Language | English |
| Detected Language | English |
| Type | Thesis |
| Format | ETD, application/pdf |
| Rights | In Copyright, http://rightsstatements.org/vocab/InC/1.0/ |
Page generated in 0.0033 seconds