Stateful Coverage-Based Greybox Fuzzing (SCGF) is considered the state-of-the-art method for network protocol greybox fuzzing. During the protocol fuzzing process, SCGF constructs the state machine of the target protocol by identifying protocol states. Optimal states are selected for fuzzing using heuristic methods, along with corresponding seeds and mutation regions, to effectively conduct fuzz testing. Nevertheless, existing SCGF methodologies prioritise the selection of protocol states without considering the correspondence between program basic block coverage information and protocol states. To address this gap, this paper proposes a statemap-based reverse state selection method for SCGF. This approach prioritises the coverage information of fuzzy test seeds, and delves deeper into the correspondence between the basic block coverage information of the programme and the protocol state, with the objective of improving the bitmap coverage. The state map is employed to simplify the state machine representation method. Furthermore, the design of different types of states has enabled the optimisation of the method of constructing message sequences, the reduction in the length of message sequences further improve the efficiency of test case execution. By optimising the SCGF, we developed SMGFuzz and conducted experiments utilising Profuzzbench in order to assess the testing efficiency of SMGFuzz.The results indicate that compared to AFLNet, SMGFuzz achieved an average increase of 12.48% in edges coverage, a 50.1% increase in unique crashes and a 40.2% increase in test case execution speed over a period of 24 hours.

翻译：基于状态覆盖的灰盒模糊测试（SCGF）被认为是网络协议灰盒模糊测试的最先进方法。在协议模糊测试过程中，SCGF通过识别协议状态来构建目标协议的状态机。它使用启发式方法选择最优状态进行模糊测试，并配合相应的种子和变异区域，以有效执行模糊测试。然而，现有的SCGF方法优先考虑协议状态的选择，却未考虑程序基本块覆盖信息与协议状态之间的对应关系。为弥补这一不足，本文提出了一种基于状态映射的反向状态选择方法用于SCGF。该方法优先考虑模糊测试种子的覆盖信息，并深入探究程序基本块覆盖信息与协议状态之间的对应关系，旨在提高位图覆盖率。状态映射被用于简化状态机的表示方法。此外，通过设计不同类型的状态，优化了消息序列的构建方法，消息序列长度的减少进一步提高了测试用例的执行效率。通过对SCGF进行优化，我们开发了SMGFuzz，并利用Profuzzbench进行了实验，以评估SMGFuzz的测试效率。结果表明，与AFLNet相比，在24小时的测试周期内，SMGFuzz在边覆盖上平均提升了12.48%，唯一崩溃数增加了50.1%，测试用例执行速度提高了40.2%。