Fuzzing Self-Described Structures

Abstract

Legacy formats are pervasive in digital spaces due to the need to read older data. Fuzzing offers a way to proactively identify errors and vulnerabilities but can be computationally expensive when undirected. A method of directing fuzzing is to generate or mutate data based on a grammar to narrow the scope of inputs. In this thesis, we present our approach for parsing and generating data for self-defining data formats that include elements of their own grammar using a mixed data-type file format. Our research focuses on maritime cyber security, specifically S-57 naval charts built on the self-defining file specification ISO/IEC 8211. We define an approach to parse ISO/IEC 8211 and leverage generic parsing tools to create a framework for mutating S-57 charts. Our framework, ParseENC, makes both low-level syntactic and high-level semantic mutations to chart files to cause erroneous behaviour in maritime navigation software. As opposed to causing crashes, our focus is on generating malformed charts that are syntactically correct, but incorrect on a semantic level that is harder for the target system to automatically detect. Our research explores mutating charts at both the syntactic and higher-level semantic levels. The results include two instances where we triggered program crashes and found a bug in OpenCPN. Another low-level change caused unexpected rendering behaviour. Of the high-level changes, we explored various ways of breaking semantic rules without preventing the charts from being loaded in. We additionally implemented fuzzing for geometric data which allowed us to add a level of randomness to our experiments while adhering to desired semantic rules and other chosen constraints.