Black-Box Fuzz Testing for Security in Service-Provider Networks
Time: Tue 2026-03-17 10.00
Location: Lindstedtsvägen 5, Room D37
Video link: https://kth-se.zoom.us/j/65756749078
Language: English
Subject area: Information and Communication Technology
Doctoral student: Leon Fernandez , Nätverk och systemteknik, CDIS
Opponent: Professor Juha Röning, University of Oulu
Supervisor: Professor Gunnar Karlsson, Nätverk och systemteknik
QC 20260219
Abstract
Computer networks underpin many aspects of our daily lives. Familiar servicessuch as digital payments, social networks, video streaming and messaging appswould not function without them. While the services we enjoy may seem stableon the surface, underneath the hood they are ever-changing: components arereplaced, networks are rebuilt and source code is rewritten. Similarly, thethreat posed by malicious actors is also in constant motion. What is consideredsecure today may not be secure tomorrow. This is especially true for softwarecomponents. Therefore, software security testing is necessary to ensure that aservice poses no risk to its operators nor its end-users.
A critical step in developing secure software is discovering previously unknownvulnerabilities. Fuzz testing, or fuzzing, is a state-of-the-art techniquefor preventing insecure software from being taken into production. One form offuzz testing that has received great interest in recent years is grey-boxfuzzing. Unfortunately, some systems are not well-suited for this type oftesting. Implementation aspects such as programming language, statefulness,network connectivity and source-code availability can make grey-box fuzzingdifficult. Consequently, not all types of vulnerabilities are discoverable withthis technique.
In this thesis, I investigate a different approach to fuzzing: black-boxfuzzing. As the name suggests, black-box fuzzing does not depend onimplementation details about the target system. While this allows for testinga wider range of systems, it also pays a price by sacrificing speed and testcoverage. However, if the black-box fuzzer can find vulnerabilities that agrey-box fuzzer cannot, it might be worth the price. The results I present inthis thesis show that by incorporating elements from reinforcement learning andweb crawling, black-box fuzzing can be used where grey-box fuzzing falls shortto discover previously unknown vulnerabilities in real-world networkingsoftware.