Shark2Pit is an automated tool designed to generate high-quality test templates (Pit files) for protocol fuzzing. By leveraging Tshark for packet parsing, Shark2Pit extracts protocol metadata and constructs data models to synthesize structural-valid data and state models.
- Automated Parsing: Converts PCAP/PCAPNG traffic into structured PDML formats automatically.
- Structure-Preserving Synthesis: Generates novel data models while maintaining protocol structural validity using the
--syntheticflag. - State Model Enhancement: Supports state shuffling and repetition strategies to explore deeper interaction paths.
- Extensibility: Designed to easily integrate new protocol implementations and fuzzing engines.
The project is organized as follows:
Shark2Pit
βββ pcaps/ # Input: Raw protocol traffic files (e.g., coap.pcap)
βββ pdml/ # Intermediate: Tshark parsing outputs
βββ json/ # Intermediate: Preprocessing results
βββ pit/ # Output: Generated Pit files (XML)
βββ tool/ # Core Shark2Pit implementation source code
βββ subjects/ # Target protocol implementations for evaluation
β βββ bacnet/
β βββ coap/ # Includes build scripts (e.g., coap_build.sh)
βββ fuzzers/ # Generation-based fuzzing engines
β βββ Peach/
β βββ PeachStar/
βββ Shark2Pit.sh # Main entry script
Shark2Pit is optimized for Ubuntu 20.04 (64-bit) or newer. We strongly recommend using Docker to ensure a consistent environment.
This is the fastest way to get started. The docker image contains the tool and pre-configured dependencies.
# Download the image containing Shark2Pit and Peach Fuzzer dependencies.
docker pull fyldocker/shark2pit:peach
# Start container. '--privileged' is required for packet capture and debugger access.
docker run -it --privileged --name shark2pit fyldocker/shark2pit:peach /bin/bashIf you prefer to build the environment locally or modify the source code:
# 1. Install system dependencies
apt update && apt install -y tshark tcpdump
# 2. Clone the repository
cd /root
git clone https://github.com/csu-wingmate/Shark2Pit.git
# 3. Build the Docker image
cd /root/Shark2Pit/fuzzers/Peach
docker build . -t shark2pit
# 4. Run the container
docker run -it --privileged --name shark2pit shark2pit /bin/bashThe main functionality is accessed via the Shark2Pit.sh script.
./Shark2Pit.sh [options] <protocol_name> [layer1 layer2 ...]protocol_name: The name of the protocol to process (corresponds to the filename inpcaps/without extension).layer_list: Space-separated list of protocol layers to analyze (e.g.,coap,dns,mbtcp).
-h,--help: Show the help message.-s,--synthetic: (Recommended) Enable data reconstitution (packet reassembly) to generate diverse data models.-sh,--shuffle: Enable state shuffling to discover new transition paths.-r,--repeat: Specify the number of times to repeat states (tests protocol implementation stability).
# Basic generation for CoAP
./Shark2Pit.sh coap coap
# Generation with synthetic data, state shuffling, and state repetition
./Shark2Pit.sh -s -sh -r 2 coap coap
# Multi-layer protocols
./Shark2Pit.sh modbus modbus mbtcp
./Shark2Pit.sh -s dns dnsThis tutorial demonstrates how to generate a Pit file for CoAP protocol implementation(libcoap) and run the Peach fuzzer.
Enter the working directory inside the container:
cd /root/Shark2PitNote: If you used Option 1 (Docker Pull), the targets are pre-built, and you can skip this step.
If you built from source, compile the CoAP protocol implementation(libcoap):
cd /root/Shark2Pit/subjects/coap
./coap_build.sh
cd /root/Shark2Pit # Return to rootGenerate the test template using Shark2Pit with synthesis enabled:
cd /root/Shark2Pit
./Shark2Pit.sh -s -sh -r 2 coap coapRun the fuzzing script. The default protocol is CoAP.
./run_peach.sh coap
# Or run CoAP fuzzing directly with Peach (without branch coverage collection)
# If you need to collect branch coverage, set up shared memory before executing the command.
/root/Peach/bin/peach ./pit/coap.xmlTo validate the effectiveness of Shark2Pit, we evaluated it against several actively maintained, open-source protocol implementations. Shark2Pit successfully uncovered 5 previously unknown bugs, ranging from memory safety violations to undefined behaviors. All discovered bugs have been reported to the respective vendors, and most have been fixed.
The table below summarizes the critical vulnerabilities found by Shark2Pit:
| Target Protocol | Bug Type | Issue ID / Link | Status |
|---|---|---|---|
| libcoap | Use-of-uninitialized-value | obgm/libcoap#1720 | Acked |
| libcoap | Heap-use-after-free | obgm/libcoap#1659 | Fixed |
| OpENer | Undefined-behavior | EIPStackGroup/OpENer#532 | Fixed |
| bacnet-stack | Use-of-uninitialized-value | bacnet-stack/bacnet-stack#1045 | Fixed |
| open62541 | Undefined-behavior | open62541/open62541#7358 | Acked |
Shark2Pit is designed to be easily extended to new protocols and fuzzers.
To add a protocol (e.g., FTP) and a target server (e.g., LightFTP):
- Create Protocol Directory: Create a new folder in
subjects/.subjects/ftp/ βββ ftp_build.sh # Script to build the target binary - Update Configuration: Register the protocol in
tool/shark2pit_config.json."ftp": { "transport": "Tcp", "default_executable": "/root/LightFTP/Source/Release/fftp", "default_arguments": "/root/LightFTP/Bin/fftp.conf", "default_host": "127.0.0.1", "default_port": 21, "agent_class": "TcpClient" }
To integrate a new fuzzing engine (e.g., PeachStar):
- Create Fuzzer Directory:
fuzzers/PeachStar/ βββ Dockerfile # For building the fuzzer environment βββ run_peachstar.sh # Execution script βββ ... # Other dependencies - Follow Templates: Refer to the existing
fuzzers/Peach/directory for structure and naming conventions.
A demonstration of Shark2Pit in action can be viewed here: [Demo Video]