SemFuzz: A Semantics-Aware Fuzzing Framework for Network Protocol Implementations

TL;DR

SemFuzz is a novel semantics-aware fuzzing framework that uses language models to extract protocol semantics and identify deep vulnerabilities, outperforming traditional methods in detecting semantic flaws.

Contribution

This paper introduces SemFuzz, the first framework leveraging language models for semantic rule extraction and targeted fuzzing of network protocols.

Findings

Identified 16 potential vulnerabilities across seven protocols.

Confirmed 10 vulnerabilities, including 5 previously unknown.

Assigned CVEs to 4 vulnerabilities.

Abstract

Network protocols are the foundation of modern communication, yet their implementations often contain semantic vulnerabilities stemming from inadequate understanding of specification semantics. Existing gray-box and black-box testing approaches lack semantic modeling of protocols, making it difficult to precisely express testing intent and cover boundary conditions. Moreover, they typically rely on coarse-grained oracles such as crashes, which are inadequate for identifying deep semantic vulnerabilities. To address these limitations, we present a semantics-aware fuzzing framework, SemFuzz. The framework leverages large language models to extract structured semantic rules from RFC documents and generates test cases that intentionally violate these rules to encode specific testing intents. It then detects deep semantic vulnerabilities by comparing the observed responses with the expected ones. Evaluation on seven widely deployed protocol implementations shows that SemFuzz identified sixteen potential vulnerabilities, ten of which have been confirmed. Among the confirmed vulnerabilities, five were previously unknown and four have been assigned CVEs. These results demonstrate the effectiveness of SemFuzz in detecting semantic vulnerabilities.