APFuzz: Towards Automatic Greybox Protocol Fuzzing

TL;DR

APFuzz is an innovative greybox protocol fuzzer that automatically constructs accurate state models and employs field-level mutations, significantly improving fuzzing effectiveness for stateful protocols.

Contribution

It introduces a two-stage static and dynamic analysis for automatic state variable identification and uses message structure awareness via Large Language Models for targeted mutations.

Findings

APFuzz outperforms AFLNET and other greybox fuzzers in benchmark tests.

Automatic state model inference improves fuzzing coverage.

Field-level mutations enhance the discovery of protocol vulnerabilities.

Abstract

Greybox protocol fuzzing is a random testing approach for stateful protocol implementations, where the input is protocol messages generated from mutations of seeds, and the search in the input space is driven by the feedback on coverage of both code and state. State model and message model are the core components of communication protocols, which also have significant impacts on protocol fuzzing. In this work, we propose APFuzz (Automatic greybox Protocol Fuzzer) with novel designs to increase the smartness of greybox protocol fuzzers from the perspectives of both the state model and the message model. On the one hand, APFuzz employs a two-stage process of static and dynamic analysis to automatically identify state variables, which are then used to infer an accurate state model during fuzzing. On the other hand, APFuzz introduces field-level mutation operations for binary protocols, leveraging message structure awareness enabled by Large Language Models. We conduct extensive experiments on a public protocol fuzzing benchmark, comparing APFuzz with the baseline fuzzer AFLNET as well as several state-of-the-art greybox protocol fuzzers.