Stateful protocol fuzzing with statemap-based reverse state selection

TL;DR

This paper introduces SMGFuzz, a novel stateful protocol fuzzing method that leverages reverse state selection based on coverage information to improve efficiency and effectiveness in detecting protocol vulnerabilities.

Contribution

It proposes a statemap-based reverse state selection approach that enhances coverage and crash detection in stateful protocol fuzzing, optimizing message sequence construction.

Findings

12.48% increase in edges coverage compared to AFLNet

50.1% increase in unique crashes detected

40.2% faster test case execution

Abstract

Stateful Coverage-Based Greybox Fuzzing (SCGF) is considered the state-of-the-art method for network protocol greybox fuzzing. During the protocol fuzzing process, SCGF constructs the state machine of the target protocol by identifying protocol states. Optimal states are selected for fuzzing using heuristic methods, along with corresponding seeds and mutation regions, to effectively conduct fuzz testing. Nevertheless, existing SCGF methodologies prioritise the selection of protocol states without considering the correspondence between program basic block coverage information and protocol states. To address this gap, this paper proposes a statemap-based reverse state selection method for SCGF. This approach prioritises the coverage information of fuzzy test seeds, and delves deeper into the correspondence between the basic block coverage information of the programme and the protocol state, with the objective of improving the bitmap coverage. The state map is employed to simplify the state machine representation method. Furthermore, the design of different types of states has enabled the optimisation of the method of constructing message sequences, the reduction in the length of message sequences further improve the efficiency of test case execution. By optimising the SCGF, we developed SMGFuzz and conducted experiments utilising Profuzzbench in order to assess the testing efficiency of SMGFuzz.The results indicate that compared to AFLNet, SMGFuzz achieved an average increase of 12.48% in edges coverage, a 50.1% increase in unique crashes and a 40.2% increase in test case execution speed over a period of 24 hours.