TL;DR
L2Fuzz is a stateful Bluetooth L2CAP fuzzing tool that efficiently generates malformed packets, leading to the discovery of five zero-day vulnerabilities in real-world devices.
Contribution
It introduces a novel state-aware fuzzing approach that improves malformed packet generation and vulnerability detection in Bluetooth L2CAP layer.
Findings
L2Fuzz generates up to 46 times more malformed packets.
L2Fuzz detects five zero-day vulnerabilities.
It reduces packet rejection ratio significantly.
Abstract
Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) is a wireless technology used in billions of devices. Recently, several Bluetooth fuzzing studies have been conducted to detect vulnerabilities in Bluetooth devices, but they fall short of effectively generating malformed packets. In this paper, we propose L2FUZZ, a stateful fuzzer to detect vulnerabilities in Bluetooth BR/EDR Logical Link Control and Adaptation Protocol (L2CAP) layer. By selecting valid commands for each state and mutating only the core fields of packets, L2FUZZ can generate valid malformed packets that are less likely to be rejected by the target device. Our experimental results confirmed that: (1) L2FUZZ generates up to 46 times more malformed packets with a much less packet rejection ratio compared to the existing techniques, and (2) L2FUZZ detected five zero-day vulnerabilities from eight real-world Bluetooth devices.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
