Network protocols are the foundation of modern communication, yet their implementations often contain semantic vulnerabilities stemming from inadequate understanding of specification semantics. Existing gray-box and black-box testing approaches lack semantic modeling of protocols, making it difficult to precisely express testing intent and cover boundary conditions. Moreover, they typically rely on coarse-grained oracles such as crashes, which are inadequate for identifying deep semantic vulnerabilities. To address these limitations, we present a semantics-aware fuzzing framework, SemFuzz. The framework leverages large language models to extract structured semantic rules from RFC documents and generates test cases that intentionally violate these rules to encode specific testing intents. It then detects deep semantic vulnerabilities by comparing the observed responses with the expected ones. Evaluation on seven widely deployed protocol implementations shows that SemFuzz identified sixteen potential vulnerabilities, ten of which have been confirmed. Among the confirmed vulnerabilities, five were previously unknown and four have been assigned CVEs. These results demonstrate the effectiveness of SemFuzz in detecting semantic vulnerabilities.

翻译：网络协议是现代通信的基础，但其实现常因对规范语义理解不足而存在语义漏洞。现有的灰盒与黑盒测试方法缺乏对协议的语义建模，难以精确表达测试意图并覆盖边界条件。此外，它们通常依赖崩溃等粗粒度预言机制，不足以识别深层语义漏洞。为应对这些局限，我们提出一种语义感知的模糊测试框架SemFuzz。该框架利用大语言模型从RFC文档中提取结构化语义规则，并生成故意违反这些规则的测试用例以编码特定测试意图。随后通过对比观测响应与预期响应来检测深层语义漏洞。在七个广泛部署的协议实现上的评估表明，SemFuzz识别出十六个潜在漏洞，其中十个已获确认。在已确认漏洞中，五个为先前未知漏洞，四个已分配CVE编号。这些结果证明了SemFuzz在检测语义漏洞方面的有效性。