thuanpv/aflnwe

Is aflnwe fuzzing every state of the SUT or just the initial one?

Opened this issue · 0 comments

cristiandaniele commented

aflnwe aims to fuzz stateful systems. Unfortunately, since it restarts the SUT after every iteration, it seems to fuzz only the initial state (for instance, in LightFTP, the state in the SUT that lies before any authentication -- State 0 in figure).

Also by printing all the messages received by the LightFtp server, it seems aflnwe cannot explore in deep the state model. Am I missing something?

Screenshot 2023-09-05 at 09 24 10

These are the state coverage results I obtained on LightFTP:

  1. AFLNet

    Total states discovered: 5 \ 5. State coverage: 100%. Messages sent: 3898
    State: 0 - Hit: 3302
    State: 1 - Hit: 350
    State: 2 - Hit: 49
    State: 3 - Hit: 149
    State: 4 - Hit: 48

  2. aflnwe

    Total states discovered: 1 \ 5. State coverage: 20%. Messages sent: 1799
    State: 0 - Hit: 1799
    State: 1 - Hit: 0
    State: 2 - Hit: 0
    State: 3 - Hit: 0
    State: 4 - Hit: 0