Skip to content

Tech notes about AFLNet/ChatAFL

AFLNET supports two channels, one to send and one to receive

  • The response-receiving channel forms the state feedback channel.
  • AFLNET uses standard C Socket APIs (i.e., connect/poll/send/recv).
  • For synchronization, there is delay between requests. Otherwise, several server implementations drop the connetion if a new message is received before the response is sent and acknowledged.

The input for AFLNET are the pcap files containing the captured network traffic

  • Use tcpdump to record realistic message exchange (including both requests and responses).
  • Use Wireshark to extract requests.
  • [CHATAFL]: In PROFUZZBENCH, the initial seed corpus of LIVE555 comprises only 4 types of client requests out of 10 present in the ground truth: DESCRIBE, SETUP, PLAY, and TEARDOWN. As it said in the paper, LLM can generate diverse messages and approximately 55% (plus 24.5% after fixing the session id) of client requests can be directly accepted by the server with the successful response code “2xx”.

the capability to enrich the initial seeds.

State Machine Learner

  • It takes the server responses and augments the implemented protocol state machine (IPSM) with newly observed states and transitions.

Target State Selector

  • At the beginning, it randomly selects target states.
  • After accumulate statistical data, it chooses states according to two heuristics, i.e., rarely exercised states and a state with higher priority that has been particularly successful in contributing to an increased code or state coverage.

Sequence Selector

  • Once a target state is selected, it selects a message sequence (i.e., a seed input), which can reach the state (including passing by), from the sequence corpus.
  • If multiple message sequences reaching the same state, it randomly selects one.

Sequence Mutator

  • AFLNET splits the original sequence M into three parts: 1) the prefix M1 is required to reach the selected state s, 2) the candidate subsequence M2 contains all messages that can be executed after M1 while still remaining in s, and 3) the suffix M3 is simply the left-over subsequence such that (M1, M2, M3) = M.
  • The mutated message sequence M' = (M1, mutate(M2), M3).
  • Question: does AFLNET gurantee the mutate(M2) still end with state s?
  • In order to mutate the candidate sequence M2, AFLNET supports the replacement, insertion, duplication, and deletion of messages
  • In addition to these protocol-aware mutation operators, AFLNET uses the common byte-level operators that are known from greybox fuzzing, such as bit flipping, and the substitution, insertion, or deletion of blocks of bytes.
  • The mutations are stacked, i.e., several protocol-aware and bytelevel mutation operators are applied to generate the mutated candidate sequence.
  • Generated message sequences M' that are considered as “interesting” are added to the corpus C. A sequence is considered as interesting if the server response contains new states or state transitions that have not previously been observed; a sequence is interesting also if it covers new branches in the server’s source code.
  • [CHATAFL] LLM can generate the grammar for each type of messages. This is one-shot. When mutating, the fuzzer will search in the grammar corpus, mark the mutatable fields in the seed, and mutate the seed, instead of asking the LLM to generate a new one.
  • [CHATAFL] Of the LLM-generated client requests, 69% to 89% induced a transition to a different state, covering all state transitions for each individual state. When PlateauLen surpasses MaxPlateau, ChatAFL asks LLM to break the coverage wall.

Some tips

  • The tool will be slow in executions per second due to the synchronization between the client and the server.
  • The tool should be running for a long time to activate the target state selector.