Greybox fuzzing has been widely used in stateless programs and has achieved great success. However, most state-of-the-art greybox fuzzers have slow speed and shallow state depth coverage in fuzzing stateful network protocol programs, which are able to remember and store the details of interactions. The existing greybox fuzzers for network protocol programs first send a series of well-defined prefix sequences of input messages and then send mutated messages to test the target state of a stateful network protocol. This process leads to a high time cost. In this paper, we propose SNPSFuzzer, a fast greybox fuzzer for stateful network protocols using snapshots. SNPSFuzzer dumps the context information when the network protocol program is in a specific state and restores it when the state needs to be fuzzed. Furthermore, we design a message chain analysis algorithm to explore more and deeper network protocol states. Our evaluation shows that compared with the state-of-the-art network protocol greybox fuzzer AFLNET, SNPSFuzzer improves the message processing speed of network protocol fuzzing by 70.7% and increases the path coverage by 20.9% on average within 24 hours. Moreover, SNPSFuzzer exposes a previously unreported vulnerability in the program Tinydtls.

中文翻译：

---

SNPSFuzzer：使用快照的有状态网络协议的快速灰盒模糊器

Greybox fuzzing 在无状态程序中得到了广泛的应用，并取得了巨大的成功。然而，大多数最先进的灰盒模糊器在模糊状态网络协议程序中速度慢且状态深度覆盖浅，它们能够记住和存储交互的细节。现有的用于网络协议程序的灰盒模糊器首先发送一系列定义良好的输入消息前缀序列，然后发送变异消息以测试有状态网络协议的目标状态。这个过程导致高的时间成本。在本文中，我们提出了 SNPSFuzzer，这是一种使用快照的有状态网络协议的快速灰盒模糊器。SNPSFuzzer 在网络协议程序处于特定状态时转储上下文信息，并在需要对状态进行模糊测试时恢复。此外，我们设计了一个消息链分析算法来探索更多更深层次的网络协议状态。我们的评估表明，与最先进的网络协议灰盒模糊器 AFLNET 相比，SNPSFuzzer 在 24 小时内将网络协议模糊器的消息处理速度提高了 70.7%，路径覆盖率平均提高了 20.9%。此外，SNPSFuzzer 暴露了 Tinydtls 程序中一个以前未报告的漏洞。