近些年来，许多知名的网络协议漏洞，如心脏滴血、蠕虫病毒等，在全世界范围内都形成了严重破坏，造成了巨大损失。因此，保障网络协议的安全有着至关重要的意义。模糊测试是最有效的软件测试方法之一，然而，由于网络协议具有复杂的输入结构和丰富的状态跳转，现有的协议模糊测试工具在实际的协议模糊测试应用中仍存在着以下三个主要局限：（1）数据模型对于协议模糊测试来说十分重要，然而人工准备好复杂的协议数据模型费时费力且容易出错；（2）现有的协议模糊测试器都只注重于测试协议单独状态的逻辑或进行状态拓展，而忽略了协议丰富的处理跨状态的相关代码逻辑；（3）在收集覆盖率的情形下，现有协议模糊测试器不得不进行频繁重启，造成整体模糊测试效率低下。为了解决这些弊端，本文提出了一个易用且高效的跨状态指导的协议模糊测试工具Jupiter。其创新之处主要有以下三点：（1）采用了多状态数据模型自动学习技术，能够自动从网络报文流中准确学习出每个状态的数据模型，用于后续结构感知的模糊测试；（2）设计了一个新颖的跨状态覆盖率强化策略，该策略在协议模糊测试的过程中，综合利用状态内探索和跨状态探索技术，生成针对性的报文序列，强化测试协议跨状态相关逻辑，提升模糊测试的总体覆盖率；（3）实现了程序状态自动推导技术，能够在模糊测试的过程中推断报文被待测协议处理完成的时间点然后进行覆盖率收集，从而避免了待测协议的频繁重启，提升了协议模糊测试的整体效率。本文在六个工业界知名的协议实现上评估了Jupiter的性能。结果表明，Jupiter在这些协议上都能准确学习出用于模糊测试的多状态数据模型。在模糊测试效率提升方面，相比于知名的协议模糊测试工具AFL、Polar、AFLNET和Peach，Jupiter在24小时之内在这六个待测协议上的平均代码分支覆盖率分别提升了234.2%、194.4%、215.9%和35.18%。此外，Jupiter一共在这六个协议实现中挖掘并报告了26个之前未被发现的漏洞，其中大部分为高危漏洞，这些漏洞目前都已经被开发者确认、修复。

Many well-known vulnerabilities in network protocols, such as Heartbleed and Wannacry, have caused worldwide serious damage. It is significantly important to guarantee the security of their implementations. Fuzzing has been proved to be one of the most efficient software testing techniques. However, due to the complex input structures and state transitions of read-world network protocols, state-of-the-art protocol fuzzers still face three main challenges in practice: (1) Data models are important to protocol fuzzing while preparing data models of complex protocols is time-consuming and error-prone. (2) Existing protocol fuzzers focus on finding new code coverages in isolated states or exploring new states. However, they ignore the abundant situations of state transitions. (3) When using coverage feedback, they have to repeatedly restart the under-test protocols, which is unsatisfactory.In this paper, we present Jupiter, an easy-to-use, efficient fuzzing platform for network protocols. Jupiter mainly has three innovations: (1) To conduct input-structure-aware fuzzing of protocols, Jupiter utilizes a smart learning algorithm to build data models of protocol packets automatically from the real network interaction streams. (2) In Jupiter, we propose an innovative cross-state guided fuzzing strategy that employs both inner-state and inter-state exploration to generate specific protocol packet sequences, targeting maximizing code coverage in state transitions during protocol fuzzing. (3) Moreover, we devise a novel feedback collection method in Jupiter to avoid the restart of protocols at each fuzzing iteration, allowing for incessant fuzzing and thus improving the overall efficiency.We evaluate Jupiter on six popular protocol implementations. Overall, it can build data models precisely for diverse fuzzing scenarios. Compared with typical fuzzers such as AFL, Polar, AFLNET, and Peach, it improves branch coverage by 234.2%, 194.4%, 215.9%, and 35.18% respectively in the same time budget of 24 hours. Moreover, it has already confirmed and reported 26 previously unknown vulnerabilities among these protocol implementations, most of which are on the attack surface thus security-critical and corresponding patches from vendors have been released.