Methods for Testing QUIC Network Protocol Implementations
Date
2024
Authors
Ang, Kian Kai
Editors
Advisors
Ranasinghe, Damith Chinthana
Pope, Cheryl
Pope, Cheryl
Journal Title
Journal ISSN
Volume Title
Type:
Thesis
Citation
Statement of Responsibility
Conference Name
Abstract
QUIC is a secure transport layer protocol optimised for performance. It was ratified by the IETF in May 2021 and represents a key part of the HTTP/3 standard experiencing rapid adoption. The protocol offers an alternative to secure transport currently offered with TLS over TCP. QUIC’s main challenge concerns providing low latency, reliable transport streams over unreliable UDPs and delivering an inherently secure protocol by incorporating elements of TLS into a unified protocol. The result is an advanced protocol design with new features not directly addressed in the analysis of TLS, UDP, or TCP—notably, the QUIC specifications alone reach almost 80,000 words, and QUIC controls all security and reliable transport parameters over multiple streams. Consequently, the accidental inclusion of software bugs, logical flaws, and specification non-conformance within QUIC implementations is inevitable. Given that networked applications are routinely subject to attacks, it is crucial to identify and address potential issues before they are exploited. However, there remains a significant gap in the availability of open-source testing methods to validate the behaviour and test the robustness of QUIC implementations. Most existing tools are either designed for QUIC versions released prior to ratification or Google-QUIC (now replaced by the standardised IETF QUIC) or are not open-source. This dissertation presents two key contributions aimed at improving the security and robustness of QUIC server-side implementations. First, the study designs a QUIC-specific non-compliance tester to uncover deviations from the protocol standard, dubbed QUICTESTER. QUICTESTER is evaluated on 19 open-source QUIC server-side implementations from well-known vendors, including Google, Microsoft, Amazon, Meta, Mozilla, and Cloudflare. In total, QUICTESTER uncovered 55 faults with five CVEs assigned and a bug bounty awarded. The second study implements a grey-box mutation-based fuzzer called QUIC-FUZZ to identify vulnerabilities beyond those caused by protocol non-compliance in QUIC server-side implementations. Notably, QUIC-FUZZ is benchmarked against state-of-the-art network protocol fuzzers—namely, Fuzztruction-Net, ChatAFL, and AFLNet—on six open-source QUIC servers. QUIC-FUZZ outperforms these fuzzers, with up to an 84% increase in code coverage observed. QUIC-FUZZ uncovers ten previously unknown vulnerabilities, leading to two CVEs and a bug bounty award.
School/Discipline
School of Computer and Mathematical Sciences
Dissertation Note
Thesis (MPhil) -- University of Adelaide, School of Computer and Mathematical Sciences, 2025
Provenance
This electronic version is made publicly available by the University of Adelaide in accordance with its open access policy for student theses. Copyright in this thesis remains with the author. This thesis may incorporate third party material which has been used by the author pursuant to Fair Dealing exceptions. If you are the owner of any included third party copyright material you wish to be removed from this electronic version, please complete the take down form located at: http://www.adelaide.edu.au/legals