Fuzzing tool SnapFuzz for network applications makes it easier for researchers to find vulnerabilities

Cybersecurity specialists from Imperial College London developed a fuzzing tool capable of solving some of the most frequent problems when testing network applications. Dubbed SnapFuzz, this tool uses a number of techniques to speed up the testing of network protocols and overcome time constraints and other limitations that make it difficult to implement these security tests.

As many users will know, fuzzing is a technique that allows you to detect some common software errors, although the use of some fuzzing tools can result in unexpected changes in the analyzed implementations. These effects could be inferred in the analysis process, so it is necessary to find mechanisms to apply functional fuzzing tests.

Popular fuzzing tools like AFLNet require specialized test environments, which can be time-consuming and consume large system resources available to researchers. In addition, common practices among the developers of these applications are often unfriendly to the systems where these security procedures will be applied.

While SnapFuzz is based on AFLNet, this tool adds several features for manual configuration and troubleshooting performance issues typical of the fuzzing process. The SnapFuzz protocol also automatically transforms all asynchronous network communications into synchronous communications, becoming a much more efficient utility.

Using SnapFuzz, developers were able to test five popular network applications (LightFTP, TinyDTLS, Dnsmasq, LIVE555, and Dcmqrscp) and gain considerable improvements in application performance.

An on-memory file system automatically resets the state of the file system without user intervention. The developers also devised a method to automatically infer the point at which the application has finished initializing, which speeds up the fuzzing process.

At the moment SnapFuzz is still a project in development, although the team behind the tool is still working for its improvement: “Our main priority is to extend our work to more benchmarks and the latest versions of popular network projects such as Redis and Memcached,” the researchers mention. 

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.