Network protocols are divided into stateless and stateful. Stateful network protocols have complex communication interactions and state transitions. However, the existing network protocol fuzzing does not support state transitions very well. This paper focuses on this issue and proposes the Semi-valid Fuzzing for the Stateful Network Protocol (SFSNP). The SFSNP analyzes protocol interactions and builds an extended finite state machine with a path marker for the network protocol; then it obtains test sequences of the extended finite state machine, and further performs the mutation operation using the semi-valid algorithm for each state transition in the test sequences; finally, it obtains fuzzing sequences. Moreover, because different test sequences may have the same state transitions, the SFSNP uses the state transition marking algorithm to reduce redundant test cases. By using the stateful rule tree of the protocol, the SFSNP extracts the constraints in the protocol specifications to construct semi-valid fuzz testing cases within the sub-protocol domain, and finally forms fuzzing sequences. Experimental results indicate that the SFSNP is reasonably effective at reducing the quantity of generated test cases and improving the quality of fuzz testing cases. The SFSNP can reduce redundancy and shorten testing time.

To improve the efficiency and coverage of stateful network protocol fuzzing, this paper proposes a new method, using a rule-based state machine and a stateful rule tree to guide the generation of fuzz testing data. The method first builds a rule-based state machine model as a formal description of the states of a network protocol. This removes safety paths, to cut down the scale of the state space. Then it uses a stateful rule tree to describe the relationship between states and messages, and then remove useless items from it. According to the message sequence obtained by the analysis of paths using the stateful rule tree and the protocol specification, an abstract data model of test case generation is defined. The fuzz testing data is produced by various generation algorithms through filling data in the fields of the data model. Using the rule-based state machine and the stateful rule tree, the quantity of test data can be reduced. Experimental results indicate that our method can discover the same vulnerabilities as traditional approaches, using less test data, while optimizing test data generation and improving test efficiency.