Search papers, labs, and topics across Lattice.
This paper introduces APFuzz, a greybox protocol fuzzer that enhances state and message modeling for improved fuzzing effectiveness. APFuzz uses static and dynamic analysis to automatically identify state variables and infer an accurate state model. It also introduces field-level mutation operations for binary protocols, guided by Large Language Models to understand message structure. Experimental results on a public benchmark demonstrate APFuzz's superiority over AFLNET and other state-of-the-art greybox protocol fuzzers.
LLMs can now guide protocol fuzzers to intelligently mutate binary messages at the field level, significantly boosting their ability to uncover vulnerabilities.
Greybox protocol fuzzing is a random testing approach for stateful protocol implementations, where the input is protocol messages generated from mutations of seeds, and the search in the input space is driven by the feedback on coverage of both code and state. State model and message model are the core components of communication protocols, which also have significant impacts on protocol fuzzing. In this work, we propose APFuzz (Automatic greybox Protocol Fuzzer) with novel designs to increase the smartness of greybox protocol fuzzers from the perspectives of both the state model and the message model. On the one hand, APFuzz employs a two-stage process of static and dynamic analysis to automatically identify state variables, which are then used to infer an accurate state model during fuzzing. On the other hand, APFuzz introduces field-level mutation operations for binary protocols, leveraging message structure awareness enabled by Large Language Models. We conduct extensive experiments on a public protocol fuzzing benchmark, comparing APFuzz with the baseline fuzzer AFLNET as well as several state-of-the-art greybox protocol fuzzers.
