{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T13:08:31Z","timestamp":1780492111577,"version":"3.54.1"},"reference-count":70,"publisher":"Association for Computing Machinery (ACM)","issue":"9","license":[{"start":{"date-parts":[[2024,4,25]],"date-time":"2024-04-25T00:00:00Z","timestamp":1714003200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2024,10,31]]},"abstract":"<jats:p>Fuzzing is a very effective testing methodology to find bugs. In a nutshell, a fuzzer sends many slightly malformed messages to the software under test, hoping for crashes or incorrect system behaviour. The methodology is relatively simple, although applications that keep internal states are challenging to fuzz. The research community has responded to this challenge by developing fuzzers tailored to stateful systems, but a clear understanding of the variety of strategies is still missing. In this paper, we present the first taxonomy of fuzzers for stateful systems and provide a systematic comparison and classification of these fuzzers.<\/jats:p>","DOI":"10.1145\/3648468","type":"journal-article","created":{"date-parts":[[2024,2,17]],"date-time":"2024-02-17T10:04:40Z","timestamp":1708164280000},"page":"1-23","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":25,"title":["Fuzzers for Stateful Systems: Survey and Research Directions"],"prefix":"10.1145","volume":"56","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7435-4176","authenticated-orcid":false,"given":"Cristian","family":"Daniele","sequence":"first","affiliation":[{"name":"Radboud University, Nijmegen, The Netherlands"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5077-240X","authenticated-orcid":false,"given":"Seyed Behnam","family":"Andarzian","sequence":"additional","affiliation":[{"name":"Radboud University, Nijmegen, The Netherlands"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4635-187X","authenticated-orcid":false,"given":"Erik","family":"Poll","sequence":"additional","affiliation":[{"name":"Radboud University, Nijmegen, The Netherlands"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2024,4,25]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/1326304.1326313"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1016\/0890-5401(87)90052-6"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/IPDPS.2009.5161063"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00117"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00083"},{"key":"e_1_3_2_7_2","unstructured":"Jinsheng Ba Marcel B\u00f6hme Zahra Mirzamomen and Abhik Roychoudhury. 2022. Stateful Greybox Fuzzing. (2022). arxiv:cs.CR\/2204.02545. http:\/\/export.arxiv.org\/abs\/2204.02545v3"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1007\/11836810_25"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/3140587.3062349"},{"key":"e_1_3_2_10_2","article-title":"Network protocol analysis using bioinformatics algorithms","author":"Beddoe Marshall A.","year":"2004","unstructured":"Marshall A. Beddoe. 2004. Network protocol analysis using bioinformatics algorithms. ToorCon (2004).","journal-title":"ToorCon"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCNS53852.2021.00023"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2020.3016773"},{"key":"e_1_3_2_13_2","volume-title":"USENIX Security Symposium","author":"Chen Yuanliang","year":"2019","unstructured":"Yuanliang Chen, Yu Jiang, Fuchen Ma, Jie Liang, Mingzhe Wang, Chijin Zhou, Xun Jiao, and Zhuo Su. 2019. EnFuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers. In USENIX Security Symposium. USENIX Association."},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338502.3359762"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781139194655"},{"key":"e_1_3_2_16_2","first-page":"193","volume-title":"USENIX Security Symposium","author":"Ruiter Joeri de","year":"2015","unstructured":"Joeri de Ruiter and Erik Poll. 2015. Protocol state fuzzing of TLS implementations. In USENIX Security Symposium. USENIX Association, 193\u2013206."},{"key":"e_1_3_2_17_2","first-page":"523","volume-title":"USENIX Security Symposium","author":"Doup\u00e9 Adam","year":"2012","unstructured":"Adam Doup\u00e9, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security Symposium. USENIX, 523\u2013538."},{"key":"e_1_3_2_18_2","first-page":"621","volume-title":"International Conference on Information and Communications Security","author":"Fan Rong","year":"2017","unstructured":"Rong Fan and Yaoyao Chang. 2017. Machine learning for black-box fuzzing of network protocols. In International Conference on Information and Communications Security. Springer, 621\u2013632."},{"key":"e_1_3_2_19_2","first-page":"2523","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920)","author":"Fiterau-Brostean Paul","year":"2020","unstructured":"Paul Fiterau-Brostean, Bengt Jonsson, Robert Merget, Joeri De Ruiter, Konstantinos Sagonas, and Juraj Somorovsky. 2020. Analysis of \\(\\lbrace\\) DTLS \\(\\rbrace\\) implementations using protocol state fuzzing. In 29th USENIX Security Symposium (USENIX Security \u201920). 2523\u20132540."},{"key":"e_1_3_2_20_2","article-title":"Active automata learning with adaptive distinguishing sequences","author":"Frohme Markus Theo","year":"2019","unstructured":"Markus Theo Frohme. 2019. Active automata learning with adaptive distinguishing sequences. arXiv preprint arXiv:1902.01139 (2019).","journal-title":"arXiv preprint arXiv:1902.01139"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-28865-9_18"},{"key":"e_1_3_2_22_2","first-page":"151","volume-title":"Network and Distributed System Security (NDSS\u201908)","author":"Godefroid Patrice","year":"2008","unstructured":"Patrice Godefroid, Michael Y. Levin, and David Molnar. 2008. Automated whitebox fuzz testing. In Network and Distributed System Security (NDSS\u201908), Vol. 8. The Internet Society, 151\u2013166."},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409679"},{"issue":"8","key":"e_1_3_2_24_2","first-page":"239","article-title":"AutoFuzz: Automated network protocol fuzzing framework","volume":"10","author":"Gorbunov Serge","year":"2010","unstructured":"Serge Gorbunov and Arnold Rosenbloom. 2010. AutoFuzz: Automated network protocol fuzzing framework. International Journal of Computer Science and Network Security (IJCSNS) 10, 8 (2010), 239.","journal-title":"International Journal of Computer Science and Network Security (IJCSNS)"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/PST52912.2021.9647801"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICNP.2008.4697030"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3203217.3203241"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11164-3_26"},{"key":"e_1_3_2_29_2","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security \u201923)","author":"Jiang Zu-Ming","year":"2023","unstructured":"Zu-Ming Jiang, Jia-Ju Bai, and Zhendong Su. 2023. DynSQL: Stateful fuzzing for database management systems with complex and valid SQL query generation. In Proceedings of USENIX Security Symposium (USENIX Security \u201923)."},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-35413-2_16"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM.2010.50"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3138820"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833593"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCC.2010.5546704"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/2381896.2381904"},{"key":"e_1_3_2_36_2","article-title":"SPIDER: A practical fuzzing framework to uncover stateful performance issues in SDN controllers","author":"Li Ao","year":"2022","unstructured":"Ao Li, Rohan Padhye, and Vyas Sekar. 2022. SPIDER: A practical fuzzing framework to uncover stateful performance issues in SDN controllers. arXiv preprint arXiv:2209.04026 (2022).","journal-title":"arXiv preprint arXiv:2209.04026"},{"key":"e_1_3_2_37_2","article-title":"SNPSFuzzer: A fast greybox fuzzer for stateful network protocols using snapshots","author":"Li Junqiang","year":"2022","unstructured":"Junqiang Li, Senyi Li, Gang Sun, Ting Chen, and Hongfang Yu. 2022. SNPSFuzzer: A fast greybox fuzzer for stateful network protocols using snapshots. arXiv preprint arXiv:2202.03643 (2022).","journal-title":"arXiv preprint arXiv:2202.03643"},{"key":"e_1_3_2_38_2","first-page":"4481","volume-title":"32nd USENIX Security Symposium (USENIX Security \u201923)","author":"Luo Zhengxiong","year":"2023","unstructured":"Zhengxiong Luo, Junze Yu, Feilong Zuo, Jianzhong Liu, Yu Jiang, Ting Chen, Abhik Roychoudhury, and Jiaguang Sun. 2023. Bleem: Packet sequence oriented fuzzing for protocol implementations. In 32nd USENIX Security Symposium (USENIX Security \u201923). 4481\u20134498."},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.14722\/bar.2022.23008"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2946563"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559365"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/96267.96279"},{"key":"e_1_3_2_43_2","unstructured":"Kevin P. Murphy. 1995. Passively learning finite automata. Citeseer."},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11334-022-00449-3"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-022-10233-3"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/1273442.1250746"},{"key":"e_1_3_2_47_2","first-page":"99","volume-title":"Advances in Structural and Syntactic Pattern Recognition","author":"Oncina Jos\u00e9","year":"1992","unstructured":"Jos\u00e9 Oncina and Pedro Garcia. 1992. Identifying regular languages in polynomial time. In Advances in Structural and Syntactic Pattern Recognition. World Scientific, 99\u2013108."},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN53405.2022.00043"},{"key":"e_1_3_2_49_2","unstructured":"Joshua Pereyda. 2019. boofuzz Documentation. (2019). https:\/\/github.com\/jtpereyda\/boofuzz"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST46399.2020.00062"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2015.32"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.5555\/3220885.3221010"},{"key":"e_1_3_2_53_2","first-page":"1","article-title":"Black-box live protocol fuzzing","volume":"2","author":"Ramsauer Timo","year":"2021","unstructured":"Timo Ramsauer. 2021. Black-box live protocol fuzzing. Target 2 (2021), 1\u20132.","journal-title":"Target"},{"key":"e_1_3_2_54_2","article-title":"Nyx-Net: Network fuzzing with incremental snapshots","author":"Schumilo Sergej","year":"2021","unstructured":"Sergej Schumilo, Cornelius Aschermann, Andrea Jemmett, Ali Abbasi, and Thorsten Holz. 2021. Nyx-Net: Network fuzzing with incremental snapshots. arXiv preprint arXiv:2111.03013 (2021).","journal-title":"arXiv preprint arXiv:2111.03013"},{"key":"e_1_3_2_55_2","first-page":"309","volume-title":"Annual Technical Conference (ATC \u201912)","author":"Serebryany Konstantin","year":"2012","unstructured":"Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Annual Technical Conference (ATC \u201912). USENIX, 309\u2013318."},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-68855-6_19"},{"key":"e_1_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2895025"},{"key":"e_1_3_2_58_2","first-page":"46","volume-title":"IEEE\/ACM International Symposium on Code Generation and Optimization (CGO \u201915)","author":"Stepanov Evgeniy","year":"2015","unstructured":"Evgeniy Stepanov and Konstantin Serebryany. 2015. MemorySanitizer: Fast detector of uninitialized memory use in C++. In IEEE\/ACM International Symposium on Code Generation and Optimization (CGO \u201915). IEEE, 46\u201355."},{"key":"e_1_3_2_59_2","article-title":"Sequence to sequence learning with neural networks","volume":"27","author":"Sutskever Ilya","year":"2014","unstructured":"Ilya Sutskever, Oriol Vinyals, and Quoc V Le. 2014. Sequence to sequence learning with neural networks. Advances in Neural Information Processing Systems 27 (2014).","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1109\/IWAST.2012.6228985"},{"key":"e_1_3_2_61_2","first-page":"2847","volume-title":"30th USENIX Security Symposium (USENIX Security \u201921)","author":"Tychalas Dimitrios","year":"2021","unstructured":"Dimitrios Tychalas, Hadjer Benkraouda, and Michail Maniatakos. 2021. \\(\\lbrace\\) ICSFuzz \\(\\rbrace\\) : Manipulating \\(\\lbrace\\) I\/Os \\(\\rbrace\\) and repurposing binary code to enable instrumented fuzzing in \\(\\lbrace\\) ICS \\(\\rbrace\\) control applications. In 30th USENIX Security Symposium (USENIX Security \u201921). 2847\u20132862."},{"key":"e_1_3_2_62_2","article-title":"FlexFringe: Modeling software behavior by learning probabilistic automata","author":"Verwer Sicco","year":"2022","unstructured":"Sicco Verwer and Christian Hammerschmidt. 2022. FlexFringe: Modeling software behavior by learning probabilistic automata. arXiv preprint arXiv:2203.16331 (2022).","journal-title":"arXiv preprint arXiv:2203.16331"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pone.0237749"},{"key":"e_1_3_2_64_2","doi-asserted-by":"crossref","unstructured":"Zhuzhu Wang and Ying Wang. 2023. NLP-based Cross-Layer 5G Vulnerabilities Detection via Fuzzing Generated Run-Time Profiling. (2023). arxiv:cs.CR\/2305.08226","DOI":"10.1109\/CloudNet59005.2023.10490042"},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v31i1.10804"},{"key":"e_1_3_2_66_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3025037"},{"key":"e_1_3_2_67_2","unstructured":"Michal Zalewski. 2014. American Fuzzy Lop (AFL). (2014). https:\/\/lcamtuf.coredump.cx\/afl"},{"key":"e_1_3_2_68_2","doi-asserted-by":"publisher","DOI":"10.3390\/app11073120"},{"key":"e_1_3_2_69_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics12132904"},{"key":"e_1_3_2_70_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2019.00016"},{"key":"e_1_3_2_71_2","doi-asserted-by":"publisher","DOI":"10.1145\/3512345"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3648468","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3648468","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:50:19Z","timestamp":1750287019000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3648468"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,25]]},"references-count":70,"journal-issue":{"issue":"9","published-print":{"date-parts":[[2024,10,31]]}},"alternative-id":["10.1145\/3648468"],"URL":"https:\/\/doi.org\/10.1145\/3648468","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,4,25]]},"assertion":[{"value":"2023-01-06","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-01-31","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-04-25","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}