Wireless Protocol Fuzzing Framework, 10-R8401
Joseph G. Loomis
Russell K. Barker
Tam T. Do
Inclusive Dates: 07/01/13 – 10/31/13
Background — Wireless embedded systems are becoming increasingly prevalent in the world. Manufacturers are integrating wireless protocols into their designs so that they become part of the "Internet of things." Wireless protocols such as ZigBee, Bluetooth, and Bluetooth Low Energy (BLE) can be found in devices ranging from home thermostats to cell phones. The protocols are used to provide information and control that in today’s threat-heavy world need to be secure. This means that security is increasingly becoming a primary concern for many of the companies that utilize wireless protocols. One common method of assessing the security of a protocol is through fuzz testing or "fuzzing." Fuzzing is a technique in which the input to a system is changed repetitively and in unexpected ways to see how the system reacts for the purpose of identifying vulnerabilities that have not been discovered through normal system testing. This technique has been used to test Transmission Control Protocol/Internet Protocol (TCP/IP) network software and has been adapted by Southwest Research Institute and others to test the application layer of wireless embedded systems. However, to date there has been limited work in fuzzing the intermediate and lower layers of wireless protocols; but, more specifically, no generalized approach has been developed that is readily adapted to multiple protocols.
Approach — This research is investigating approaches to fuzzing the intermediate and lower layers of wireless protocols, with specific attention to developing a generalized and adaptable approach that can be realized using low-cost, off-the-shelf tools, and that is readily adapted to multiple protocols. To achieve this, two likely approaches are being investigated: open system interconnection (OSI) stack injection and stack offload. OSI stack injection is a technique where fuzz cases generated by a fuzzing engine are injected into specific layers of the fuzzing device, which will contain an entire protocol stack, through use of an Application Programming Interface (API). The API will be responsible for packet handling between the fuzzing engine and the stack on the fuzzing device. Stack offload is a technique in which low layers of a stack are implemented on a fuzzing device, and the higher layers of the stack are implemented in software on a personal computer (PC). In this technique, fuzz cases, which are still generated by a fuzzing engine, are transferred to the PC where partial packet structure building is done and then passed to the fuzzing device for complete packet encapsulation.
Accomplishments — A test environment was developed and a fuzzing approach was selected for three popular wireless protocols. For Bluetooth and BLE, the stack offload approach will use the Ubertooth One hardware with a Sulley fuzzing engine. For the Zigbee protocol, a Universal Software Radio Peripheral (USRP) radio will be used with a Sulley fuzzing engine. Development of the complete fuzzing framework for BLE is nearing completion, and testing of the different BLE protocol stacks will begin soon.