Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) is a wireless technology used in billions of devices. Recently, several Bluetooth fuzzing studies have been conducted to detect vulnerabilities in Bluetooth devices, but they fall short of effectively generating malformed packets. In this paper, we propose L2FUZZ, a stateful fuzzer to detect vulnerabilities in Bluetooth BR/EDR Logical Link Control and Adaptation Protocol (L2CAP) layer. By selecting valid commands for each state and mutating only the core fields of packets, L2FUZZ can generate valid malformed packets that are less likely to be rejected by the target device. Our experimental results confirmed that: (1) L2FUZZ generates up to 46 times more malformed packets with a much less packet rejection ratio compared to the existing techniques, and (2) L2FUZZ detected five zero-day vulnerabilities from eight real-world Bluetooth devices.
翻译:蓝牙基本速率/ 强化数据速率( BR/ EDR) 是数十亿个设备中使用的一种无线技术。 最近,为检测蓝牙设备中的易变性进行了几次蓝牙模糊研究,但未能有效生成错误的包件。 在本文中,我们建议使用L2FUZZ, 以识别蓝牙BR/ EDR逻辑链接控制和适应协议(L2CAP) 层中的易变性。 L2FUZB为各州选择有效的命令, 并只突变包件的核心域, 就可以生成有效的错误的包件, 而目标装置不太可能拒绝这些包件。 我们的实验结果证实:(1) L2FUZ 生成的错误包件比现有技术少得多46倍, 并且(2) L2FUZ从8个真实的蓝牙装置中检测到5个零天的易变。