This work addresses the limitations of gray-box protocol fuzzing in state awareness and message generation by proposing a two-phase automated approach that integrates static and dynamic analysis to accurately identify state variables and construct a high-fidelity state model. Furthermore, it pioneers the incorporation of large language models (LLMs) into binary protocol fuzzing for field-level mutation, enabling structure-aware intelligent message generation. The proposed method substantially improves state coverage, code coverage, and vulnerability discovery efficiency, outperforming state-of-the-art gray-box fuzzers such as AFLNET across multiple public protocol benchmarks.

Greybox protocol fuzzing is a random testing approach for stateful protocol implementations, where the input is protocol messages generated from mutations of seeds, and the search in the input space is driven by the feedback on coverage of both code and state. State model and message model are the core components of communication protocols, which also have significant impacts on protocol fuzzing. In this work, we propose APFuzz (Automatic greybox Protocol Fuzzer) with novel designs to increase the smartness of greybox protocol fuzzers from the perspectives of both the state model and the message model. On the one hand, APFuzz employs a two-stage process of static and dynamic analysis to automatically identify state variables, which are then used to infer an accurate state model during fuzzing. On the other hand, APFuzz introduces field-level mutation operations for binary protocols, leveraging message structure awareness enabled by Large Language Models. We conduct extensive experiments on a public protocol fuzzing benchmark, comparing APFuzz with the baseline fuzzer AFLNET as well as several state-of-the-art greybox protocol fuzzers.