{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,22]],"date-time":"2026-01-22T21:26:13Z","timestamp":1769117173588,"version":"3.49.0"},"reference-count":53,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2022,11,1]],"date-time":"2022-11-01T00:00:00Z","timestamp":1667260800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,11,1]],"date-time":"2022-11-01T00:00:00Z","timestamp":1667260800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100014718","name":"Innovative Research Group Project of the National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62032010"],"award-info":[{"award-number":["62032010"]}],"id":[{"id":"10.13039\/100014718","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Network function virtualization provides programmable in-network middlewares by leveraging virtualization technologies and commodity hardware and has gained popularity among all mainstream network device manufacturers. Yet it is challenging to apply coverage-guided fuzzing, one of the state-of-the-art vulnerability discovery approaches, to those virtualized network devices, due to inevitable integrity protection adopted by those devices. In this paper, we propose a coverage-guided fuzzing framework NDFuzz for virtualized network devices with a novel integrity protection bypassing method, which is able to distinguish processes of virtualized network devices from hypervisors with a carefully designed non-intrusive page global directory inference technique. We implement NDFuzz atop of two black-box fuzzers and evaluate NDFuzz with three representative network protocols, SNMP , DHCP and NTP , on nine popular virtualized network devices. NDFuzz obtains an average 36% coverage improvement in comparison with its black-box counterparts. NDFuzz discovers 2 0-Day vulnerabilities and 1 1-Day vulnerability with coverage guidance while the black-box fuzzer can find only one of them. All discovered vulnerabilities are confirmed by corresponding vendors.<\/jats:p>","DOI":"10.1186\/s42400-022-00120-1","type":"journal-article","created":{"date-parts":[[2022,11,1]],"date-time":"2022-11-01T01:23:47Z","timestamp":1667265827000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["NDFuzz: a non-intrusive coverage-guided fuzzing framework for virtualized network devices"],"prefix":"10.1186","volume":"5","author":[{"given":"Yu","family":"Zhang","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nanyu","family":"Zhong","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wei","family":"You","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4787-4832","authenticated-orcid":false,"given":"Yanyan","family":"Zou","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kunpeng","family":"Jian","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jiahuan","family":"Xu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jian","family":"Sun","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Baoxu","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wei","family":"Huo","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2022,11,1]]},"reference":[{"key":"120_CR1","doi-asserted-by":"crossref","unstructured":"Aschermann C, Schumilo S, Blazytko T, Gawlik R, Holz T (2019) Redqueen: fuzzing with input-to-state correspondence. In: NDSS, vol 19, pp 1\u201315","DOI":"10.14722\/ndss.2019.23371"},{"key":"120_CR2","volume-title":"Black-box testing: techniques for functional testing of software and systems","author":"B Beizer","year":"1995","unstructured":"Beizer B (1995) Black-box testing: techniques for functional testing of software and systems. Wiley, New York"},{"key":"120_CR3","unstructured":"Bellard F (2005) Qemu, a fast and portable dynamic translator. In: USENIX annual technical conference, FREENIX Track, California, USA, vol 41, p 46"},{"issue":"5","key":"120_CR4","doi-asserted-by":"publisher","first-page":"489","DOI":"10.1109\/TSE.2017.2785841","volume":"45","author":"M B\u00f6hme","year":"2017","unstructured":"B\u00f6hme M, Pham V-T, Roychoudhury A (2017) Coverage-based Greybox fuzzing as Markov chain. IEEE Trans Softw Eng 45(5):489\u2013506","journal-title":"IEEE Trans Softw Eng"},{"key":"120_CR5","doi-asserted-by":"crossref","unstructured":"Carbone M, Conover M, Montague B, Lee W (2012) Secure and robust monitoring of virtual machines through guest-assisted introspection. In: International workshop on recent advances in intrusion detection. Springer, pp 22\u201341","DOI":"10.1007\/978-3-642-33338-5_2"},{"key":"120_CR6","doi-asserted-by":"publisher","first-page":"32","DOI":"10.1016\/j.diin.2010.05.005","volume":"7","author":"A Case","year":"2010","unstructured":"Case A, Marziale L, Richard GG III (2010) Dynamic recreation of kernel data structures for live forensics. Digit Investig 7:32\u201340","journal-title":"Digit Investig"},{"key":"120_CR7","doi-asserted-by":"crossref","unstructured":"Chen DD, Woo M, Brumley D, Egele M (2016) Towards automated dynamic analysis for Linux-based embedded firmware. In: NDSS, vol 1, pp 1","DOI":"10.14722\/ndss.2016.23415"},{"key":"120_CR8","doi-asserted-by":"crossref","unstructured":"Chen J, Diao W, Zhao Q, Zuo C, Lin Z, Wang X, Lau WC, Sun M, Yang R, Zhang K (2018) Iotfuzzer: Discovering memory corruptions in IoT through app-based fuzzing. In: NDSS","DOI":"10.14722\/ndss.2018.23159"},{"key":"120_CR9","unstructured":"Cisco-Talos: mutiny fuzzing framework. https:\/\/github.com\/Cisco-Talos\/mutiny-fuzzer"},{"key":"120_CR10","unstructured":"Compare coverage for AFL++ QEMU. https:\/\/andreafioraldi.github.io\/articles\/2019\/07\/20\/aflpp-qemu-compcov.html"},{"key":"120_CR11","doi-asserted-by":"crossref","unstructured":"Dolan-Gavitt B, Srivastava A, Traynor P, Giffin J (2009) Robust signatures for kernel data structures. In: Proceedings of the 16th ACM conference on computer and communications security, pp 566\u2013577","DOI":"10.1145\/1653662.1653730"},{"key":"120_CR12","doi-asserted-by":"crossref","unstructured":"Dolan-Gavitt B, Leek T, Zhivich M, Giffin J, Lee W (2011) Virtuoso: narrowing the semantic gap in virtual machine introspection. In: 2011 IEEE symposium on security and privacy. IEEE, pp 297\u2013312","DOI":"10.1109\/SP.2011.11"},{"key":"120_CR13","doi-asserted-by":"publisher","unstructured":"Dolan-Gavitt B, Hulin P, Kirda E, Leek T, Mambretti A, Robertson W, Ulrich F, Whelan R (2016) Lava: large-scale automated vulnerability addition. In: 2016 IEEE symposium on security and privacy (SP), pp 110\u2013121. https:\/\/doi.org\/10.1109\/SP.2016.15","DOI":"10.1109\/SP.2016.15"},{"key":"120_CR14","doi-asserted-by":"crossref","unstructured":"Feng Q, Prakash A, Wang M, Carmony C, Yin H (2016) Origen: automatic extraction of offset-revealing instructions for cross-version memory analysis. In: Proceedings of the 11th ACM on Asia conference on computer and communications security, pp 11\u201322","DOI":"10.1145\/2897845.2897850"},{"key":"120_CR15","doi-asserted-by":"crossref","unstructured":"Feng X, Sun R, Zhu X, Xue M, Wen S, Liu D, Nepal S, Xiang Y (2021) Snipuzz: black-box fuzzing of IoT firmware via message snippet inference. arXiv:2105.05445","DOI":"10.1145\/3460120.3484543"},{"key":"120_CR16","unstructured":"Fioraldi A, Maier D, Ei\u00dffeldt H, Heuse M (2020) Afl++: combining incremental steps of fuzzing research. In: 14th $$\\{$$USENIX$$\\}$$ workshop on offensive technologies ($$\\{$$WOOT$$\\}$$ 20)"},{"key":"120_CR17","doi-asserted-by":"crossref","unstructured":"Fu Y, Lin Z (2012) Space traveling across vm: automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In: 2012 IEEE symposium on security and privacy. IEEE, pp 586\u2013600","DOI":"10.1109\/SP.2012.40"},{"key":"120_CR18","doi-asserted-by":"crossref","unstructured":"Gan S, Zhang C, Qin X, Tu X, Li K, Pei Z, Chen Z (2018) Collafl: path sensitive fuzzing. In: 2018 IEEE symposium on security and privacy (SP). IEEE, pp 679\u2013696","DOI":"10.1109\/SP.2018.00040"},{"key":"120_CR19","doi-asserted-by":"crossref","unstructured":"Gao Z, Dong W, Chang R, Wang Y (2020) Fw-fuzz: a code coverage-guided fuzzing framework for network protocols on firmware. Concurr Comput Pract Exp","DOI":"10.1002\/cpe.5756"},{"key":"120_CR20","unstructured":"Godefroid P, Levin MY, Molnar DA et al (2008) Automated whitebox fuzz testing. In: NDSS , vol 8, pp 151\u2013166"},{"issue":"2","key":"120_CR21","doi-asserted-by":"publisher","first-page":"90","DOI":"10.1109\/MCOM.2015.7045396","volume":"53","author":"B Han","year":"2015","unstructured":"Han B, Gopalakrishnan V, Ji L, Lee S (2015) Network function virtualization: challenges and opportunities for innovations. IEEE Commun Mag 53(2):90\u201397. https:\/\/doi.org\/10.1109\/MCOM.2015.7045396","journal-title":"IEEE Commun Mag"},{"key":"120_CR22","doi-asserted-by":"publisher","unstructured":"Hazimeh A, Herrera A, Payer M (2020) Magma: a ground-truth fuzzing benchmark. In: Proceedings of the ACM on measurement and analysis of computing systems, vol 4, no 3. https:\/\/doi.org\/10.1145\/3428334","DOI":"10.1145\/3428334"},{"key":"120_CR23","unstructured":"Helin A. Radamsa, a general-purpose fuzzer. https:\/\/gitlab.com\/akihe\/radamsa"},{"key":"120_CR24","doi-asserted-by":"crossref","unstructured":"Henderson A, Prakash A, Yan LK, Hu X, Wang X, Zhou R, Yin H (2014) Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In: Proceedings of the 2014 international symposium on software testing and analysis, pp 248\u2013258","DOI":"10.1145\/2610384.2610407"},{"key":"120_CR25","doi-asserted-by":"crossref","unstructured":"Jain B, Baig MB, Zhang D, Porter DE, Sion R (2014) Sok: introspections on trust and the semantic gap. In: 2014 IEEE symposium on security and privacy. IEEE, pp 605\u2013620","DOI":"10.1109\/SP.2014.45"},{"issue":"1","key":"120_CR26","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s42400-018-0002-y","volume":"1","author":"J Li","year":"2018","unstructured":"Li J, Zhao B, Zhang C (2018) Fuzzing: a survey. Cybersecurity 1(1):1\u201313","journal-title":"Cybersecurity"},{"key":"120_CR27","unstructured":"LibVMI. https:\/\/libvmi.com\/"},{"key":"120_CR28","unstructured":"Lin Z, Rhee J, Zhang X, Xu D, Jiang X (2011) Siggraph: brute force scanning of kernel data structure instances using graph-based signatures. In: Ndss"},{"key":"120_CR29","unstructured":"Lyu C, Ji S, Zhang C, Li Y, Lee W-H, Song Y, Beyah R (2019) $$\\{$$MOPT$$\\}$$: optimized mutation scheduling for fuzzers. In: 28th $$\\{$$USENIX$$\\}$$ security symposium ($$\\{$$USENIX$$\\}$$ security 19), pp 1949\u20131966"},{"key":"120_CR30","doi-asserted-by":"publisher","first-page":"2312","DOI":"10.1109\/TSE.2019.2946563","volume":"47","author":"VJM Man\u00e8s","year":"2019","unstructured":"Man\u00e8s VJM, Han H, Han C, Cha SK, Egele M, Schwartz EJ, Woo M (2019) The art, science, and engineering of fuzzing: a survey. IEEE Trans Softw Eng 47:2312\u20132331","journal-title":"IEEE Trans Softw Eng"},{"issue":"1","key":"120_CR31","doi-asserted-by":"publisher","first-page":"236","DOI":"10.1109\/COMST.2015.2477041","volume":"18","author":"R Mijumbi","year":"2016","unstructured":"Mijumbi R, Serrat J, Gorricho J-L, Bouten N, De Turck F, Boutaba R (2016) Network function virtualization: state-of-the-art and research challenges. IEEE Commun Surv Tutor 18(1):236\u2013262. https:\/\/doi.org\/10.1109\/COMST.2015.2477041","journal-title":"IEEE Commun Surv Tutor"},{"key":"120_CR32","doi-asserted-by":"crossref","unstructured":"Muench M, Stijohann J, Kargl F, Francillon A, Balzarotti D (2018) What you corrupt is not what you crash: Challenges in fuzzing embedded devices. In: Network and distributed system security symposium (NDSS)","DOI":"10.14722\/ndss.2018.23166"},{"key":"120_CR33","volume-title":"The art of software testing","author":"GJ Myers","year":"2004","unstructured":"Myers GJ, Badgett T, Thomas TM, Sandler C (2004) The art of software testing, vol 2. Wiley, New York"},{"key":"120_CR34","unstructured":"NCCGroup: Project Triforce: run AFL on everything! https:\/\/github.com\/nccgroup\/TriforceAFL"},{"key":"120_CR35","unstructured":"Paper NW (2012) Network functions virtualisation: an introduction, benefits, enablers, challenges & call for action. Issue 1"},{"key":"120_CR36","doi-asserted-by":"crossref","unstructured":"Payne BD, Carbone M, Sharif M, Lee W (2008) Lares: an architecture for secure active monitoring using virtualization. In: 2008 IEEE symposium on security and privacy (sp 2008). IEEE, pp 233\u2013247","DOI":"10.1109\/SP.2008.24"},{"key":"120_CR37","doi-asserted-by":"crossref","unstructured":"Pham V-T, B\u00f6hme M, Roychoudhury A (2020) Aflnet: a greybox fuzzer for network protocols. In: 2020 IEEE 13th international conference on software testing, validation and verification (ICST). IEEE, pp 460\u2013465","DOI":"10.1109\/ICST46399.2020.00062"},{"key":"120_CR38","unstructured":"PyREBox. https:\/\/github.com\/Cisco-Talos\/pyrebox"},{"key":"120_CR39","doi-asserted-by":"crossref","unstructured":"Rawat S, Jain V, Kumar A, Cojocar L, Giuffrida C, Bos H (2017) Vuzzer: application-aware evolutionary fuzzing. In: NDSS, vol 17, pp 1\u201314","DOI":"10.14722\/ndss.2017.23404"},{"key":"120_CR40","doi-asserted-by":"crossref","unstructured":"Saberi A, Fu Y, Lin Z (2014) Hybrid-bridge: efficiently bridging the semantic gap in virtual machine introspection via decoupled execution and training memoization. In: Proceedings of the 21st annual network and distributed system security symposium (NDSS\u201914)","DOI":"10.14722\/ndss.2014.23226"},{"key":"120_CR41","unstructured":"Scapy. https:\/\/scapy.net\/"},{"key":"120_CR42","unstructured":"Schumilo S, Aschermann C, Gawlik R, Schinzel S, Holz T (2017) kafl: hardware-assisted feedback fuzzing for $$\\{$$OS$$\\}$$ kernels. In: 26th $$\\{$$USENIX$$\\}$$ security symposium ($$\\{$$USENIX$$\\}$$ security 17), pp 167\u2013182"},{"key":"120_CR43","doi-asserted-by":"crossref","unstructured":"Sharif MI, Lee W, Cui W, Lanzi A (2009) Secure in-vm monitoring using hardware virtualization. In: Proceedings of the 16th ACM conference on computer and communications security, pp 477\u2013487","DOI":"10.1145\/1653662.1653720"},{"key":"120_CR44","unstructured":"snmpwalk. https:\/\/linux.die.net\/man\/1\/snmpwalk"},{"key":"120_CR45","doi-asserted-by":"publisher","first-page":"11","DOI":"10.1016\/j.diin.2016.01.004","volume":"16","author":"A Soca\u0142a","year":"2016","unstructured":"Soca\u0142a A, Cohen M (2016) Automatic profile generation for live Linux memory analysis. Digit Investig 16:11\u201324","journal-title":"Digit Investig"},{"key":"120_CR46","doi-asserted-by":"crossref","unstructured":"Srinivasan D, Wang Z, Jiang X, Xu D (2011) Process out-grafting: an efficient \u201cout-of-vm\u201d approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on computer and communications security, pp 363\u2013374","DOI":"10.1145\/2046707.2046751"},{"key":"120_CR47","unstructured":"Volatility framework\u2014volatile memory extraction utility framework. https:\/\/github.com\/volatilityfoundation\/volatility"},{"key":"120_CR48","unstructured":"Wang G, Estrada ZJ, Pham C, Kalbarczyk Z, Iyer RK (2015) Hypervisor introspection: a technique for evading passive virtual machine monitoring. In: 9th $$\\{$$USENIX$$\\}$$ workshop on offensive technologies ($$\\{$$WOOT$$\\}$$ 15)"},{"key":"120_CR49","unstructured":"Yan LK, Yin H (2012) Droidscope: seamlessly reconstructing the $$\\{$$OS$$\\}$$ and dalvik semantic views for dynamic android malware analysis. In: 21st $$\\{$$USENIX$$\\}$$ security symposium ($$\\{$$USENIX$$\\}$$ security 12), pp 569\u2013584"},{"key":"120_CR50","unstructured":"Yue T, Wang P, Tang Y, Wang E, Yu B, Lu K, Zhou X (2020) Ecofuzz: adaptive energy-saving greybox fuzzing as a variant of the adversarial multi-armed bandit. In: 29th $$\\{$$USENIX$$\\}$$ security symposium ($$\\{$$USENIX$$\\}$$ security 20), pp 2307\u20132324"},{"key":"120_CR51","unstructured":"Zalewski M. American fuzzy lop. http:\/\/lcamtuf.coredump.cx\/afl\/"},{"key":"120_CR52","doi-asserted-by":"crossref","unstructured":"Zhang Y, Huo W, Jian K, Shi J, Lu H, Liu L, Wang C, Sun D, Zhang C, Liu B (2019) Srfuzzer: an automatic fuzzing framework for physical SOHO router devices to discover multi-type vulnerabilities. In: Proceedings of the 35th annual computer security applications conference, pp 544\u2013556","DOI":"10.1145\/3359789.3359826"},{"key":"120_CR53","unstructured":"Zheng Y, Davanian A, Yin H, Song C, Zhu H, Sun L (2019) Firm-afl: high-throughput greybox fuzzing of iot firmware via augmented process emulation. In: 28th $$\\{$$USENIX$$\\}$$ security symposium ($$\\{$$USENIX$$\\}$$ security 19), pp 1099\u20131114"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00120-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-022-00120-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00120-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,11,1]],"date-time":"2022-11-01T01:26:27Z","timestamp":1667265987000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-022-00120-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,11,1]]},"references-count":53,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2022,12]]}},"alternative-id":["120"],"URL":"https:\/\/doi.org\/10.1186\/s42400-022-00120-1","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,11,1]]},"assertion":[{"value":"24 December 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 March 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 November 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"21"}}