BloomFuzz: Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State Machines

Pyeongju Ahn; Yeonseok Jang; Seunghoon Woo; Heejo Lee

doi:10.1007/978-3-031-70896-1_6

BloomFuzz: Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State Machines

Pyeongju Ahn
, Yeonseok Jang
, Seunghoon Woo^*
, Heejo Lee^*

^*Corresponding author for this work

Department of Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

Abstract

Bluetooth technologies are widely utilized across various devices. Despite the advantages, the lack of security in Bluetooth can pose critical threats. Existing approaches that rely solely on Bluetooth specification have failed to bridge the gap between documentation and implemented devices. Therefore, they struggle to (1) precisely generate state machines for target devices and (2) accurately track states during the fuzzing process, resulting in low fuzzing efficiency. In this paper, we propose BloomFuzz, a stateful fuzzer to discover vulnerabilities in Bluetooth Logical Link Control and Adaptation Protocol (L2CAP) layer. Utilizing the concept of the state cluster, which is a set of one or more states with similar attributes, BloomFuzz can generate a target-oriented state machine by pruning unimplemented states (missing states) and addressing states that are implemented but not introduced in the specification (hidden states). Furthermore, BloomFuzz enhances fuzzing efficiency by generating valid test packets for each cluster via cluster-based state machine tracking. When we applied BloomFuzz to real-world Bluetooth devices, we observed that BloomFuzz outperformed existing L2CAP fuzzers by (1) discovering 56 potential vulnerabilities (more than twice compared to existing fuzzers), (2) precisely generating a target-oriented state machine, (3) significantly reducing the probability of test packets being rejected (from 76% to 23%), and (4) producing nine times more valid malformed test packets. Our proposed approach can contribute to preventing threats within L2CAP, thereby rendering a secure Bluetooth environment.

Original language	English
Title of host publication	Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings
Editors	Joaquin Garcia-Alfaro, Rafał Kozik, Michał Choraś, Sokratis Katsikas
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	110-129
Number of pages	20
ISBN (Print)	9783031708954
DOIs	https://doi.org/10.1007/978-3-031-70896-1_6
Publication status	Published - 2024
Event	29th European Symposium on Research in Computer Security, ESORICS 2024 - Bydgoszcz, Poland Duration: 2024 Sept 16 → 2024 Sept 20

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	14984 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	29th European Symposium on Research in Computer Security, ESORICS 2024
Country/Territory	Poland
City	Bydgoszcz
Period	24/9/16 → 24/9/20

Bibliographical note

Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.

Keywords

Bluetooth Security
L2CAP Security
Stateful Fuzzing

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-70896-1_6

Cite this

Ahn, P., Jang, Y., Woo, S., & Lee, H. (2024). BloomFuzz: Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State Machines. In J. Garcia-Alfaro, R. Kozik, M. Choraś, & S. Katsikas (Eds.), Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings (pp. 110-129). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14984 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-70896-1_6

BloomFuzz: Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State Machines. / Ahn, Pyeongju; Jang, Yeonseok; Woo, Seunghoon et al.
Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. ed. / Joaquin Garcia-Alfaro; Rafał Kozik; Michał Choraś; Sokratis Katsikas. Springer Science and Business Media Deutschland GmbH, 2024. p. 110-129 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14984 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ahn, P, Jang, Y, Woo, S & Lee, H 2024, BloomFuzz: Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State Machines. in J Garcia-Alfaro, R Kozik, M Choraś & S Katsikas (eds), Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14984 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 110-129, 29th European Symposium on Research in Computer Security, ESORICS 2024, Bydgoszcz, Poland, 24/9/16. https://doi.org/10.1007/978-3-031-70896-1_6

Ahn P, Jang Y, Woo S, Lee H. BloomFuzz: Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State Machines. In Garcia-Alfaro J, Kozik R, Choraś M, Katsikas S, editors, Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. Springer Science and Business Media Deutschland GmbH. 2024. p. 110-129. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-70896-1_6

Ahn, Pyeongju ; Jang, Yeonseok ; Woo, Seunghoon et al. / BloomFuzz : Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State Machines. Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings. editor / Joaquin Garcia-Alfaro ; Rafał Kozik ; Michał Choraś ; Sokratis Katsikas. Springer Science and Business Media Deutschland GmbH, 2024. pp. 110-129 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{77bfb38ecccb4462aab5522a8309efb0,

title = "BloomFuzz: Unveiling Bluetooth L2CAP Vulnerabilities via State Cluster Fuzzing with Target-Oriented State Machines",

abstract = "Bluetooth technologies are widely utilized across various devices. Despite the advantages, the lack of security in Bluetooth can pose critical threats. Existing approaches that rely solely on Bluetooth specification have failed to bridge the gap between documentation and implemented devices. Therefore, they struggle to (1) precisely generate state machines for target devices and (2) accurately track states during the fuzzing process, resulting in low fuzzing efficiency. In this paper, we propose BloomFuzz, a stateful fuzzer to discover vulnerabilities in Bluetooth Logical Link Control and Adaptation Protocol (L2CAP) layer. Utilizing the concept of the state cluster, which is a set of one or more states with similar attributes, BloomFuzz can generate a target-oriented state machine by pruning unimplemented states (missing states) and addressing states that are implemented but not introduced in the specification (hidden states). Furthermore, BloomFuzz enhances fuzzing efficiency by generating valid test packets for each cluster via cluster-based state machine tracking. When we applied BloomFuzz to real-world Bluetooth devices, we observed that BloomFuzz outperformed existing L2CAP fuzzers by (1) discovering 56 potential vulnerabilities (more than twice compared to existing fuzzers), (2) precisely generating a target-oriented state machine, (3) significantly reducing the probability of test packets being rejected (from 76\% to 23\%), and (4) producing nine times more valid malformed test packets. Our proposed approach can contribute to preventing threats within L2CAP, thereby rendering a secure Bluetooth environment.",

keywords = "Bluetooth Security, L2CAP Security, Stateful Fuzzing",

author = "Pyeongju Ahn and Yeonseok Jang and Seunghoon Woo and Heejo Lee",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.; 29th European Symposium on Research in Computer Security, ESORICS 2024 ; Conference date: 16-09-2024 Through 20-09-2024",

year = "2024",

doi = "10.1007/978-3-031-70896-1\_6",

language = "English",

isbn = "9783031708954",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "110--129",

editor = "Joaquin Garcia-Alfaro and Rafa{\l} Kozik and Micha{\l} Chora{\'s} and Sokratis Katsikas",

booktitle = "Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings",

address = "Germany",

}

TY - GEN

T1 - BloomFuzz

T2 - 29th European Symposium on Research in Computer Security, ESORICS 2024

AU - Ahn, Pyeongju

AU - Jang, Yeonseok

AU - Woo, Seunghoon

AU - Lee, Heejo

PY - 2024

Y1 - 2024

N2 - Bluetooth technologies are widely utilized across various devices. Despite the advantages, the lack of security in Bluetooth can pose critical threats. Existing approaches that rely solely on Bluetooth specification have failed to bridge the gap between documentation and implemented devices. Therefore, they struggle to (1) precisely generate state machines for target devices and (2) accurately track states during the fuzzing process, resulting in low fuzzing efficiency. In this paper, we propose BloomFuzz, a stateful fuzzer to discover vulnerabilities in Bluetooth Logical Link Control and Adaptation Protocol (L2CAP) layer. Utilizing the concept of the state cluster, which is a set of one or more states with similar attributes, BloomFuzz can generate a target-oriented state machine by pruning unimplemented states (missing states) and addressing states that are implemented but not introduced in the specification (hidden states). Furthermore, BloomFuzz enhances fuzzing efficiency by generating valid test packets for each cluster via cluster-based state machine tracking. When we applied BloomFuzz to real-world Bluetooth devices, we observed that BloomFuzz outperformed existing L2CAP fuzzers by (1) discovering 56 potential vulnerabilities (more than twice compared to existing fuzzers), (2) precisely generating a target-oriented state machine, (3) significantly reducing the probability of test packets being rejected (from 76% to 23%), and (4) producing nine times more valid malformed test packets. Our proposed approach can contribute to preventing threats within L2CAP, thereby rendering a secure Bluetooth environment.

AB - Bluetooth technologies are widely utilized across various devices. Despite the advantages, the lack of security in Bluetooth can pose critical threats. Existing approaches that rely solely on Bluetooth specification have failed to bridge the gap between documentation and implemented devices. Therefore, they struggle to (1) precisely generate state machines for target devices and (2) accurately track states during the fuzzing process, resulting in low fuzzing efficiency. In this paper, we propose BloomFuzz, a stateful fuzzer to discover vulnerabilities in Bluetooth Logical Link Control and Adaptation Protocol (L2CAP) layer. Utilizing the concept of the state cluster, which is a set of one or more states with similar attributes, BloomFuzz can generate a target-oriented state machine by pruning unimplemented states (missing states) and addressing states that are implemented but not introduced in the specification (hidden states). Furthermore, BloomFuzz enhances fuzzing efficiency by generating valid test packets for each cluster via cluster-based state machine tracking. When we applied BloomFuzz to real-world Bluetooth devices, we observed that BloomFuzz outperformed existing L2CAP fuzzers by (1) discovering 56 potential vulnerabilities (more than twice compared to existing fuzzers), (2) precisely generating a target-oriented state machine, (3) significantly reducing the probability of test packets being rejected (from 76% to 23%), and (4) producing nine times more valid malformed test packets. Our proposed approach can contribute to preventing threats within L2CAP, thereby rendering a secure Bluetooth environment.

KW - Bluetooth Security

KW - L2CAP Security

KW - Stateful Fuzzing

UR - https://www.scopus.com/pages/publications/85204589677

U2 - 10.1007/978-3-031-70896-1_6

DO - 10.1007/978-3-031-70896-1_6

M3 - Conference contribution

AN - SCOPUS:85204589677

SN - 9783031708954

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 110

EP - 129

BT - Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings

A2 - Garcia-Alfaro, Joaquin

A2 - Kozik, Rafał

A2 - Choraś, Michał

A2 - Katsikas, Sokratis

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 16 September 2024 through 20 September 2024

ER -