TY - GEN
T1 - Intelligent Zigbee Protocol Fuzzing via Constraint-Field Dependency Inference
AU - Ren, Mengfei
AU - Zhang, Haotian
AU - Ren, Xiaolei
AU - Ming, Jiang
AU - Lei, Yu
N1 - Publisher Copyright:
© 2024, The Author(s), under exclusive license to Springer Nature Switzerland AG.
PY - 2024
Y1 - 2024
N2 - Zigbee is one of the global most popular IoT standards widely deployed by millions of devices and customers. Its fast market growth also incentivizes cybercriminals. Inference-guided fuzzing has shown promising results for security vulnerability detection, which infers the relationship between input bytes and path constraints. However, deploying such a technique on Zigbee protocol implementation is not a trivial task because of the vendor-specific requirements and particular hardware configuration. In this paper, we propose TaintBFuzz, an intelligent Zigbee protocol fuzzing by inferring the dependency between message fields and path constraints. We then use the inference to prioritize the corresponding fields in the mutation process and generate inputs that could explore untouched branches. We implemented a prototype of TaintBFuzz and evaluated it on a mainstream Zigbee protocol implementation called Z-Stack. Compared with state-of-the-art protocol fuzzing tools, including Boofuzz, Peach, and Z-Fuzzer, TaintBFuzz outperforms them in code coverage with the assistance of constraint-field dependency inference. Notably, TaintBFuzz efficiently identifies eight distinct vulnerabilities, of which two are previously unidentified.
AB - Zigbee is one of the global most popular IoT standards widely deployed by millions of devices and customers. Its fast market growth also incentivizes cybercriminals. Inference-guided fuzzing has shown promising results for security vulnerability detection, which infers the relationship between input bytes and path constraints. However, deploying such a technique on Zigbee protocol implementation is not a trivial task because of the vendor-specific requirements and particular hardware configuration. In this paper, we propose TaintBFuzz, an intelligent Zigbee protocol fuzzing by inferring the dependency between message fields and path constraints. We then use the inference to prioritize the corresponding fields in the mutation process and generate inputs that could explore untouched branches. We implemented a prototype of TaintBFuzz and evaluated it on a mainstream Zigbee protocol implementation called Z-Stack. Compared with state-of-the-art protocol fuzzing tools, including Boofuzz, Peach, and Z-Fuzzer, TaintBFuzz outperforms them in code coverage with the assistance of constraint-field dependency inference. Notably, TaintBFuzz efficiently identifies eight distinct vulnerabilities, of which two are previously unidentified.
KW - Fuzzing
KW - IoT Wireless Protocols
KW - Taint Analysis
KW - Zigbee
UR - https://www.scopus.com/pages/publications/85182602079
UR - https://www.scopus.com/pages/publications/85182602079#tab=citedBy
U2 - 10.1007/978-3-031-51476-0_23
DO - 10.1007/978-3-031-51476-0_23
M3 - Conference contribution
AN - SCOPUS:85182602079
SN - 9783031514753
T3 - Lecture Notes in Computer Science
SP - 467
EP - 486
BT - Computer Security – ESORICS 2023 - 28th European Symposium on Research in Computer Security, 2023, Proceedings
A2 - Tsudik, Gene
A2 - Conti, Mauro
A2 - Liang, Kaitai
A2 - Smaragdakis, Georgios
PB - Springer Science and Business Media Deutschland GmbH
T2 - 28th European Symposium on Research in Computer Security, ESORICS 2023
Y2 - 25 September 2023 through 29 September 2023
ER -