MSNFuzz: Multi-criteria state-sensitive network protocol fuzzing

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-08-09 DOI:10.1016/j.cose.2025.104621

Yuqi Zhai , Rui Ma , Zheng Zhang , Siqi Zhao , Yuche Yang

{"title":"MSNFuzz: Multi-criteria state-sensitive network protocol fuzzing","authors":"Yuqi Zhai , Rui Ma , Zheng Zhang , Siqi Zhao , Yuche Yang","doi":"10.1016/j.cose.2025.104621","DOIUrl":null,"url":null,"abstract":"<div><div>Existing protocol fuzzing techniques suffer a lot from lacking state guidance on seed evaluation during seed selection and energy allocation. That reduces fuzzing efficiency and effectiveness. We thus conduct a research focusing on seed evaluation in grey-box protocol fuzzing and propose a multi-criteria state-sensitive network protocol fuzzing method named MSNFuzz. To improve seed evaluation, we firstly re-think and re-evaluate seed potential in protocol fuzzing and improve the evaluation by introducing fine-grained state-sensitive criteria. Based on the multi-criteria evaluation, a probability-based greedy algorithm is adopted to prioritize selecting promising seeds to better explore the state space of the protocol. Moreover, we also assign different mutation energies for seeds based on the occurrence frequency of its corresponding state to be selected. That allows for flexible adjustment of mutation energy. We further evaluate the performance of MSNFuzz by comparing with AFLNET, AFLNWE, StateAFL and NSFuzz, on 13 typical protocol programs from ProFuzzBench. The experimental results show that MSNFuzz discovers 17.7%, 57.7% and 30.0% more paths, 52.4%, 123.6% and 71.0% more crashes than AFLNET, AFLNWE, and StateAFL on average, and discovers 0.18% more paths and 1.8% less crashes than NSFuzz, which is the state-of-the-art but relatively heavy solution. Besides, MSNFuzz discovers 22.1% more states and 16.5% state transitions than AFLNET on average. That highlights MSNFuzz could improve the efficiency and effectiveness of fuzzing.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104621"},"PeriodicalIF":5.4000,"publicationDate":"2025-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003104","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Existing protocol fuzzing techniques suffer a lot from lacking state guidance on seed evaluation during seed selection and energy allocation. That reduces fuzzing efficiency and effectiveness. We thus conduct a research focusing on seed evaluation in grey-box protocol fuzzing and propose a multi-criteria state-sensitive network protocol fuzzing method named MSNFuzz. To improve seed evaluation, we firstly re-think and re-evaluate seed potential in protocol fuzzing and improve the evaluation by introducing fine-grained state-sensitive criteria. Based on the multi-criteria evaluation, a probability-based greedy algorithm is adopted to prioritize selecting promising seeds to better explore the state space of the protocol. Moreover, we also assign different mutation energies for seeds based on the occurrence frequency of its corresponding state to be selected. That allows for flexible adjustment of mutation energy. We further evaluate the performance of MSNFuzz by comparing with AFLNET, AFLNWE, StateAFL and NSFuzz, on 13 typical protocol programs from ProFuzzBench. The experimental results show that MSNFuzz discovers 17.7%, 57.7% and 30.0% more paths, 52.4%, 123.6% and 71.0% more crashes than AFLNET, AFLNWE, and StateAFL on average, and discovers 0.18% more paths and 1.8% less crashes than NSFuzz, which is the state-of-the-art but relatively heavy solution. Besides, MSNFuzz discovers 22.1% more states and 16.5% state transitions than AFLNET on average. That highlights MSNFuzz could improve the efficiency and effectiveness of fuzzing.

Abstract Image

查看原文本刊更多论文

MSNFuzz：多标准状态敏感网络协议模糊

现有的协议模糊技术在种子选择和能量分配过程中缺乏对种子评价的状态指导。这降低了模糊测试的效率和效果。为此，我们对灰盒协议模糊测试中的种子评估进行了研究，提出了一种多准则状态敏感网络协议模糊测试方法MSNFuzz。为了改进种子评估，我们首先重新思考和重新评估协议模糊中的种子潜力，并通过引入细粒度状态敏感准则来改进评估。在多准则评估的基础上，采用基于概率的贪心算法优先选择有希望的种子，以更好地探索协议的状态空间。此外，我们还根据要选择的种子对应状态的发生频率，为其分配不同的突变能量。这允许灵活调整突变能量。通过与AFLNET、AFLNWE、statafl和NSFuzz在ProFuzzBench的13个典型协议程序上的比较，进一步评价了MSNFuzz的性能。实验结果表明，MSNFuzz比AFLNET、AFLNWE和statafl平均多发现17.7%、57.7%和30.0%的路径，52.4%、123.6%和71.0%的崩溃，比NSFuzz平均多发现0.18%的路径和1.8%的崩溃，是目前最先进但相对繁重的解决方案。此外，MSNFuzz比AFLNET平均多发现22.1%的状态和16.5%的状态转换。这表明MSNFuzz可以提高模糊测试的效率和有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.