Logos: Log Guided Fuzzing for Protocol Implementations

Network protocols are extensively used in a variety of network devices, making the security of their implementations crucial. Protocol fuzzing has shown promise in uncovering vulnerabilities in these implementations. However traditional methods often require instrumentation of the target implementation to provide guidance, which is intrusive, adds overhead, and can hinder black-box testing. This paper presents Logos, a protocol fuzzer that utilizes nonintrusive runtime log information for fuzzing guidance. Logos first standardizes the unstructured logs and embeds them into a highdimensional vector space for semantic representation. Then, Logos filters the semantic representation and dynamically maintains a semantic coverage to chart the explored space for customized guidance. We evaluate Logos on eight widely used implementations of well-known protocols. Results show that, compared to existing intrusive or expert knowledge-driven protocol fuzzers, Logos achieves 26.75%-106.19% higher branch coverage within 24 hours. Furthermore, Logos exposed 12 security-critical vulnerabilities in these prominent protocol implementations, with 9 CVEs assigned.