Data Distribution Service (DDS) is a distributed network protocol widely used in various cyber-physical systems (CPSs). DDS provides flexible configurations defined in the formal design specification for safety and security. However, DDS programs suffer from various software bugs, such as memory safety bugs and semantic bugs violating their specifications. To discover bugs, network protocol fuzzers have been focusing on testing client-server models by mutating input packets. However, they are unsuitable for fuzzing DDS programs due to the lack of consideration of the features specific to DDS, such as the input spaces (e.g., dynamic network topology formation, and QoS and DDS security configurations) and impacts of DDS-specific semantic bugs (e.g., incorrect topology construction).

In this paper, we propose DDSFuzz, a fuzzing framework effective for DDS programs by addressing the unique features of DDS. Specifically, we develop a novel topology-aware and parameter-validity-guided input generator integrated with a state-of-the-art packet input mutator and a differential-fuzzing-based bug detector. Our proposed input generator produces inputs in consideration of DDS-specific input spaces, the validity of DDS topologies, and the configurations and dependencies of parameters. This scheme enables DDSFuzz to test hard-to-reach code that existing techniques fail to cover. Furthermore, our differential-fuzzing-based bug detector enables the discovery of semantic bugs specific to DDS. For that, our DDS program monitor, built upon DDS-specific APIs and listeners, detects behaviors triggered by bugs. We evaluate DDSFuzz with three major DDS programs: Fast DDS, Cyclone DDS, and OpenDDS where DDSFuzz found 20 bugs and seven CVEs assigned. DDSFuzz shows an average of 5.05 times higher code coverage than that of existing fuzzers showing the effectiveness of DDS bug detection.