Existing network protocol fuzzing approaches struggle to uncover deep semantic vulnerabilities due to their limited modeling of protocol semantics. This work proposes a semantic-aware fuzzing framework that leverages large language models to automatically extract structured semantic rules from RFC documents, enabling the generation of test cases that deliberately violate these rules. By comparing the actual responses of protocol implementations against expected behaviors derived from the extracted semantics, the framework effectively identifies semantic inconsistencies. Evaluated on seven widely used protocol implementations, the approach uncovered 16 potential vulnerabilities, ten of which have been confirmed, including five previously unknown flaws; four of these have already been assigned CVE identifiers. This demonstrates a significant advancement in the targeted detection of semantic-level protocol vulnerabilities.

Network protocols are the foundation of modern communication, yet their implementations often contain semantic vulnerabilities stemming from inadequate understanding of specification semantics. Existing gray-box and black-box testing approaches lack semantic modeling of protocols, making it difficult to precisely express testing intent and cover boundary conditions. Moreover, they typically rely on coarse-grained oracles such as crashes, which are inadequate for identifying deep semantic vulnerabilities. To address these limitations, we present a semantics-aware fuzzing framework, SemFuzz. The framework leverages large language models to extract structured semantic rules from RFC documents and generates test cases that intentionally violate these rules to encode specific testing intents. It then detects deep semantic vulnerabilities by comparing the observed responses with the expected ones. Evaluation on seven widely deployed protocol implementations shows that SemFuzz identified sixteen potential vulnerabilities, ten of which have been confirmed. Among the confirmed vulnerabilities, five were previously unknown and four have been assigned CVEs. These results demonstrate the effectiveness of SemFuzz in detecting semantic vulnerabilities.