PEACH
PEACH
Abstract
Network-based tools have become a central component in the operation of many institutions such as businesses, universities and governments. The growing amount of sensitive data being transported over networks necessitates innovation to ensure these networks remain secure. Virtual Private Networks (VPNs) establish private connections between a remote user and a network. Since the rise in popularity of VPNs in the 1990s, many different VPN protocols have been created. Older VPN protocols that appear to be more theoretically sound often have a large amount of complexity, which increases their vulnerability. WireGuard is a newer, much simpler protocol with several user space implementations. Fuzzing, a technique for exposing vulnerabilities in software, may be a useful tool in exposing problems with user space implementations of WireGuard, thus enabling \\developers to make them more secure. In this study we investigate the viability of Peach as a tool for fuzzing network protocols, specifically Wireguard. We use Peach to fuzz "Wireguard-go", a user space \\implementation of the Wireguard protocol. We found that Wireguard-go demonstrated a reasonable level of robustness and in addition, was simple to run and configure. Furthermore, we found that Peach was minimally affected by differing switch count values. The choice of mutation strategy, as well as the value assigned for the maximum fields mutated, were found to affect the number of iterations performed by Peach in the allocated time. This suggests a trade-off decision between coverage and efficiency in the case of maximum fields to mutate. A drastic decrease in performance was observed when Peach was configured to restart the process on each iteration. This suggests that restarting the process on each iteration should be reserved for only the most necessary cases.
Research Questions
This study is guided by the following research questions.
Can Peach effectively fuzz a modern network protocol?
What shortcomings make Peach challenging to use and how can they be overcome?
How do key parameters such as mutation strategy, switch count and maximum fields to mutate impact the efficiency of Peach?
What strategies do Wireguard-go implement to reduce the risk of attack?
To address these questions the following research objectives were formulated.
Objectives
Configure Peach to send a handshake initiation message that Wireguard-go recognises and accepts.
Produce practical insights and recommendations that future researchers can use when applying Peach or similar fuzzers to VPN protocols.
Send invalid or partially invalid packets to the server and observe the server's response.
Mimic a replay attack to observe the server's response.
Results
The random and random deterministic strategies displayed similar performance with the random deterministic strategy performing slightly better.
The sequential strategy executed a misleadingly low number of iterations due to the fixed number of test cases. A crude calculation of the number of iterations that could have been executed in three hours implies an estimated iteration value of 747,270.
Persistent vs Non-persistent
This experiment showed that reducing the maximum fields to mutate leade to better performance, however it does limit coverage of the test-space, introducing a trade-off between performance and coverage.
Mutation Strategy
Switch Count
The persistent case proved to be 50 times more efficient than the non-persistent case.
These results indicate that significant overhead is incurred when the process is restarted for each iteration.
Non-persistent execution should be reserved for cases where it is strictly necessary.
Maximum Fields Mutated
The iteration count was stable across different values of switch count indicating that Peach is resilient to differing switch count values.