Differential Fuzzing for Data Distribution Service Programs with Dynamic Configuration

Data Distribution Service (DDS) is a distributed network protocol widely used in cyber-physical systems. DDS provides flexible configurations defined in the formal design specification for safety and security. However, DDS programs suffer from both semantic bugs violating design specifications and software implementation bugs. To discover bugs, network protocol fuzzers have focused on testing client-server models by mutating input packets. However, they are unsuitable for fuzzing DDS programs due to a lack of consideration of the DDS-specific features, such as the DDS-specific input spaces (e.g., dynamic network topology formation and QoS and DDS security configurations) and impacts of DDS-specific semantic bugs (e.g., incorrect topology construction).In this paper, we propose DDSFuzz, a fuzzing framework effective for DDS programs by leveraging the DDS-specific features. Specifically, we develop a DDS dynamic network configuration input generator integrated with a customized state-of-the-art packet input mutator. This configuration input generator produces inputs while considering DDS-specific input spaces, DDS topologies, and parameter configurations and dependencies. This scheme enables DDSFuzz to test code that can be executable in certain DDS network configurations. Furthermore, our differential-fuzzing-based bug detector uncovers DDS-specific semantic bugs, built upon DDS-specific APIs and listeners. We evaluate DDSFuzz with three major DDS programs: Fast DDS, Cyclone DDS, and OpenDDS. As a result, DDSFuzz found 20 bugs, and seven CVEs have been assigned. Furthermore, DDSFuzz shows an average of 6.44 times higher code coverage than that of existing fuzzers showing the effectiveness of DDS bug detection.