MSNFuzz: Multi-criteria state-sensitive network protocol fuzzing

Existing protocol fuzzing techniques suffer a lot from lacking state guidance on seed evaluation during seed selection and energy allocation. That reduces fuzzing efficiency and effectiveness. We thus conduct a research focusing on seed evaluation in grey-box protocol fuzzing and propose a multi-criteria state-sensitive network protocol fuzzing method named MSNFuzz. To improve seed evaluation, we firstly re-think and re-evaluate seed potential in protocol fuzzing and improve the evaluation by introducing fine-grained state-sensitive criteria. Based on the multi-criteria evaluation, a probability-based greedy algorithm is adopted to prioritize selecting promising seeds to better explore the state space of the protocol. Moreover, we also assign different mutation energies for seeds based on the occurrence frequency of its corresponding state to be selected. That allows for flexible adjustment of mutation energy. We further evaluate the performance of MSNFuzz by comparing with AFLNET, AFLNWE, StateAFL and NSFuzz, on 13 typical protocol programs from ProFuzzBench. The experimental results show that MSNFuzz discovers 17.7%, 57.7% and 30.0% more paths, 52.4%, 123.6% and 71.0% more crashes than AFLNET, AFLNWE, and StateAFL on average, and discovers 0.18% more paths and 1.8% less crashes than NSFuzz, which is the state-of-the-art but relatively heavy solution. Besides, MSNFuzz discovers 22.1% more states and 16.5% state transitions than AFLNET on average. That highlights MSNFuzz could improve the efficiency and effectiveness of fuzzing.