AFLNet Five Years Later: On Coverage-Guided Protocol Fuzzing

TL;DR

This paper reviews the five-year development and impact of AFLNet, a coverage-guided protocol fuzzer that considers protocol states and sequences to improve testing effectiveness, highlighting its technical evolution and influence.

Contribution

It provides an extended discussion, empirical evaluation, and reflection on the advancements and impact of AFLNet in protocol fuzzing over five years.

Findings

AFLNet significantly improved protocol fuzzing coverage.

The tool has been widely adopted and actively maintained.

It influenced subsequent research and practical testing approaches.

Abstract

Protocol implementations are stateful which makes them difficult to test: Sending the same test input message twice might yield a different response every time. Our proposal to consider a sequence of messages as a seed for coverage-directed greybox fuzzing, to associate each message with the corresponding protocol state, and to maximize the coverage of both the state space and the code was first published in 2020 in a short tool demonstration paper. AFLNet was the first code- and state-coverage-guided protocol fuzzer; it used the response code as an indicator of the current protocol state. Over the past five years, the tool paper has gathered hundreds of citations, the code repository was forked almost 200 times and has seen over thirty pull requests from practitioners and researchers, and our initial proposal has been improved upon in many significant ways. In this paper, we first provide an extended discussion and a full empirical evaluation of the technical contributions of AFLNet and then reflect on the impact that our approach and our tool had in the past five years, on both the research and the practice of protocol fuzzing.