State Machine Mutation-based Testing Framework for Wireless Communication Protocols
Authors: 
Syed Md Mukit Rashid, Tianwei Wu, Kai Tu, 
Abdullah Al Ishtiaq, Ridwanul Hasan Tanvir, 
Yilu Dong, 
Omar Chowdhury, 
Syed Rafiul HussainAuthors Info & Claims
Syed Md Mukit Rashid, Tianwei Wu, Kai Tu, Abdullah Al Ishtiaq, Ridwanul Hasan Tanvir, Yilu Dong, Omar Chowdhury, Syed Rafiul HussainAuthors Info & ClaimsPages 2102 - 2116
Abstract
This paper proposes Proteus, a protocol state machine, property-guided, and budget-aware automated testing approach for discovering logical vulnerabilities in wireless protocol implementations. Proteus maintains its budget awareness by generating test cases (i.e., each being a sequence of protocol messages) that are not only meaningful (i.e., the test case mostly follows the desirable protocol flow except for some controlled deviations) but also have a high probability of violating the desirable properties. To demonstrate its effectiveness, we evaluated Proteus in two different protocol implementations, namely 4G LTE and BLE, across 23 consumer devices (11 for 4G LTE and 12 for BLE). Proteus discovered 25 unique issues, including 112 instances. Affected vendors have positively acknowledged 14 vulnerabilities through 5 CVEs.
References
[1]
[n. d.]. Proteus. https://github.com/SyNSec-den/Proteus.
[2]
[n. d.]. srsRAN. https://github.com/srsran/srsRAN_4G.
[3]
[n. d.]. Universal Mobile Telecommunications System (UMTS); LTE; 5G; Non-Access- Stratum (NAS) Protocol for Evolved Packet System (EPS); Stage 3 (3GPP TS 24.301 version 16.8.0 Release 16).
[4]
2013. American FUzzy Lop. https://github.com/google/AFL.
[5]
2016. boofuzz: Network Protocol Fuzzing for Humans. https://github.com/ jtpereyda/boofuzz.
[6]
2021. Bluetooth Special Interest Group, Core Specification 5.3. https://www. bluetooth.com/specifications/specs/core-specification-5--3/.
[7]
A. Al Ishtiaq, S. S. S. Das, S. M. M. Rashid, A. Ranjbar, K. Tu, T. Wu, Z. Song, W. Wang, M. Akon, R. Zhang, and S. R. Hussain. 2024. Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications. In 33rd USENIX Security Symposium.
[8]
M. Ammann, L. Hirschi, and S. Kremer. 2023. DY Fuzzing: Formal Dolev-Yao Models Meet Cryptographic Protocol Fuzz Testing. Cryptology ePrint Archive.
[9]
D. Antonioli, N. O. Tippenhauer, and K. Rasmussen. 2020. Bias: Bluetooth Impersonation Attacks. In IEEE symposium on security and privacy.
[10]
D. Antonioli, N. O. Tippenhauer, K. Rasmussen, and M. Payer. 2022. BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy. In ACM on Asia conference on computer and communications security.
[11]
B. Blanchet et al. 2001. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In csfw, Vol. 1.
[12]
BlueKitchen. [n. d.]. BTstack: Dual-mode Bluetooth Stack, with Small Memory Footprint. https://github.com/bluekitchen/btstack.
[13]
R. Cayre, F. Galtier, G. Auriol, V. Nicomette, M. Kaâniche, and G. Marconato. 2021. InjectaBLE: Injecting Malicious Traffic into Established Bluetooth Low Energy connections. In 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks.
[14]
Peng Chen and Hao Chen. 2018. Angora: Efficient fuzzing by principled search. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 711--725.
[15]
Y. Chen, D. Tang, Y. Yao, M. Zha, X.Wang, X. Liu, H. Tang, and B. Liu. 2023. Sherlock on Specs: Building LTE Conformance Tests through Automated Reasoning. In 32nd USENIX Security Symposium.
[16]
Y. Chen, Y. Yao, X. Wang, D. Xu, C. Yue, X. Liu, K. Chen, H. Tang, and B. Liu. 2021. Bookworm Game: Automatic Discovery of LTE Vulnerabilities through Documentation Analysis. In IEEE Symposium on Security and Privacy.
[17]
M. Chlosta, D. Rupprecht, and T. Holz. 2021. On The Challenges of Automata Reconstruction in LTE Networks. In 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks.
[18]
D. Dolev and A. Yao. 1983. On the Security of Public Key Protocols. IEEE Transactions on Information Theory 29 (1983).
[19]
X. Feng, R. Sun, X. Zhu, M. Xue, S. Wen, D. Liu, S. Nepal, and Y. Xiang. 2021. Snipuzz: Black-box fuzzing of IoT Firmware via Message Snippet Inference. In ACM SIGSAC conference on computer and communications security.
[20]
A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse. 2020. AFL: Combining Incremental Steps of Fuzzing Research. In 14th USENIX Workshop on Offensive Technologies.
[21]
P. Fiterau-Brostean, B. Jonsson, K. Sagonas, and F. Tåquist. 2023. Automata-Based Automated Detection of State Machine Bugs in Protocol Implementations. In Network and Distributed Systems Security Symposium.
[22]
S. Gan, C. Zhang, X. Qin, X. Tu, K. Li, Z. Pei, and Z. Chen. 2018. Collafl: Path Sensitive Fuzzing. In 2018 IEEE Symposium on Security and Privacy.
[23]
M. E. Garbelini, C. Wang, S. Chattopadhyay, S. Sumei, and E. Kurniawan. 2020. SweynTooth: Unleashing Mayhem over Bluetooth Low Energy. In 2020 USENIX Annual Technical Conference.
[24]
N. Golde and D. Komaromy. 2016. Breaking Band: Reverse Engineering and Exploiting the Shannon Baseband. Recon (2016).
[25]
D. Heinze, J. Classen, and M. Hollick. 2020. ToothPicker: Apple Picking in the iOS Bluetooth Stack. In 14th USENIX Workshop on Offensive Technologies.
[26]
G. Hernandez, M. Muench, D. Maier, A. Milburn, S. Park, T. Scharnowski, T. Tucker, P. Traynor, and K. Butler. 2022. FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware. In Network and Distributed Systems Security Symposium.
[27]
E. Hoque, O. Chowdhury, S. Y. Chau, C. Nita-Rotaru, and N. Li. 2017. Analyzing Operational Behavior of Stateful Protocol Implementations for Detecting Semantic Bugs. In 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.
[28]
S. Hussain, O. Chowdhury, S. Mehnaz, and E. Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In Network and Distributed Systems Security.
[29]
S. R. Hussain, M. Echeverria, O. Chowdhury, N. Li, and E. Bertino. 2019. Privacy Attacks to the 4G and 5G Cellular Paging Protocols using Side Channel Information. In Network and Distributed Systems Security Symposium.
[30]
S. R. Hussain, M. Echeverria, I. Karim, O. Chowdhury, and E. Bertino. 2019. 5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol. In ACM SIGSAC Conference on Computer and Communications Security.
[31]
S. R. Hussain, M. Echeverria, A. Singla, O. Chowdhury, and E. Bertino. 2019. Insecure Connection Bootstrapping in Cellular Networks: The Root of All Evil. In 12th Conference on Security and Privacy in Wireless and Mobile Networks.
[32]
S. R. Hussain, I. Karim, A. A. Ishtiaq, O. Chowdhury, and E. Bertino. 2021. Noncompliance as Deviant Behavior: An Automated Black-box Noncompliance Checker for 4G LTE Cellular Devices. In ACM SIGSAC Conference on Computer and Communications Security.
[33]
IETF. 2022. RFC 9293: Transmission Control Protocol (TCP). https://datatracker. ietf.org/doc/html/rfc9293.
[34]
R. P. Jover. 2016. LTE Security, Protocol Exploits and Location Tracking Experimentation with Low-cost Software Radio. (2016). arXiv:1607.05171 [cs.CR] https://arxiv.org/abs/1607.05171
[35]
R. P. Jover, J. Lackey, and A. Raghavan. 2014. Enhancing the Security of LTE Networks Against Jamming Attacks. EURASIP (2014).
[36]
I. Karim, A. Al Ishtiaq, S. R. Hussain, and E. Bertino. 2023. BLEDiff: Scalable and Property-Agnostic Noncompliance Checking for BLE Implementations. In IEEE Symposium on Security and Privacy. IEEE.
[37]
E. Kim, M. W. Baek, C. Park, D. Kim, Y. Kim, and I. Yun. 2023. BASECOMP: A Comparative Analysis for Integrity Protection in Cellular Baseband Software. In 32nd USENIX Security Symposium.
[38]
E. Kim, D. Kim, C. Park, I. Yun, and Y. Kim. 2021. BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols. In Network and Distributed Systems Security Symposium.
[39]
H. Kim, J. Lee, E. Lee, and Y. Kim. 2019. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In IEEE Symposium on Security and Privacy.
[40]
Caroline Lemieux and Koushik Sen. 2018. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd ACM/IEEE international conference on automated software engineering. 475--485.
[41]
M. Lichtman, R. P. Jover, M. Labib, R. Rao, V. Marojevic, and J. H. Reed. 2016. LTE/LTE-A Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation. IEEE Communications Magazine (2016).
[42]
C. Lyu, S. Ji, C. Zhang, Y. Li, W.-H. Lee, Y. Song, and R. Beyah. 2019. MOPT: Optimized Mutation Scheduling for Fuzzers. In 28th USENIX Security Symposium.
[43]
D. Maier, L. Seidel, and S. Park. 2020. BaseSAFE: Baseband Sanitized Fuzzing through Emulation. In 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks.
[44]
D. Mantz, J. Classen, M. Schulz, and M. Hollick. 2019. InternalBlue-Bluetooth Binary Patching and Experimentation Framework. In 17th Annual International Conference on Mobile Systems, Applications, and Services.
[45]
M. L. Pacheco, M. von Hippel, B. Weintraub, D. Goldwasser, and C. Nita-Rotaru. 2022. Automated Attack Synthesis by Extracting Finite State Machines from Protocol Specification Documents. In IEEE Symposium on Security and Privacy.
[46]
C. Park, S. Bae, B. Oh, J. Lee, E. Lee, I. Yun, and Y. Kim. 2022. DoLTEst: In-depth Downlink Negative Testing Framework for LTE Devices. In 31st USENIX Security Symposium.
[47]
S. Park, A. Shaik, R. Borgaonkar, and J. Seifert. 2016. White Rabbit in Mobile: Effect of Unsecured Clock Source in Smartphones. In 6th Workshop on Security and Privacy in Smartphones and Mobile Devices.
[48]
A. Pferscher and B. K. Aichernig. 2021. Fingerprinting Bluetooth Low Energy Devices via Active Automata Learning. In Formal Methods: 24th International Symposium. Springer-Verlag, Berlin, Heidelberg.
[49]
A. Pferscher and B. K. Aichernig. 2022. Stateful Black-Box Fuzzing of Bluetooth Devices Using Automata Learning. In NASA Formal Methods, J. V. Deshmukh, K. Havelund, and I. Perez (Eds.). Springer International Publishing.
[50]
V.-T. Pham, M. Böhme, and A. Roychoudhury. 2020. AFLNet: A Greybox Fuzzer for Network Protocols. In 13th International Conference on Software Testing, Validation and Verification.
[51]
H. Pirayesh and H. Zeng. 2022. Jamming Attacks and Anti-jamming Strategies in Wireless Networks: A Comprehensive Survey. IEEE communications surveys & tutorials (2022).
[52]
NCC Group Plc. [n. d.]. fuzzowski. https://github.com/nccgroup/fuzzowski.
[53]
Syed Md Mukit Rashid, TianweiWu, Kai Tu, Abdullah Al Ishtiaq, Ridwanul Hasan Tanvir, Yilu Dong, Omar Chowdhury, and Syed Rafiul Hussain. 2024. State Machine Mutation-based Testing Framework for Wireless Communication Protocols. (2024). arXiv:2409.02905 [cs.CR] https://arxiv.org/abs/2409.02905
[54]
J. Ruge, J. Classen, F. Gringoli, and M. Hollick. 2020. Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets. In 29th USENIX Security Symposium.
[55]
J. Ruge, J. Classen, F. Gringoli, and M. Hollick. 2020. Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets. In 29th USENIX Security Symposium.
[56]
D. Rupprecht, A. Dabrowski, T. Holz, E.Weippl, and C. Pöpper. 2018. On Security Research Towards Future Mobile Network Generations. IEEE Communications Surveys & Tutorials 20 (2018).
[57]
D. Rupprecht, K. Jansen, and C. Pöpper. 2016. Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness. In 10th USENIX Workshop on Offensive Technologies.
[58]
D. Rupprecht, K. Kohls, T. Holz, and C. Pöpper. 2019. Breaking LTE on Layer Two. In IEEE Symposium on Security and Privacy.
[59]
S. Schumilo, C. Aschermann, A. Jemmett, A. Abbasi, and T. Holz. 2022. Nyx-net: Network Fuzzing with Incremental Snapshots. In 17th European Conference on Computer Systems.
[60]
B. Seri and G. Vishnepolsky. 2017. Blueborne: The Dangers of Bluetooth Implementations: Unveiling Zero Day Vulnerabilities and Security Flaws in Modern Bluetooth Stacks. Tech. Rep. Department of Computer Science, Michigan State University.
[61]
A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert. 2016. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. In Network and Distributed System Security Symposium.
[62]
Q. Shi, X. Xu, and X. Zhang. 2023. Extracting Protocol Format as State Machine via Controlled Static Loop Analysis. In 32nd USENIX Security Symposium.
[63]
A. Stulman. 2009. Searching for Optimal Homing Sequences for Testing Timed Communication Protocols. J. Networks 4, 5 (2009), 315--323.
[64]
A.Walz and A. Sikora. 2017. Exploiting Dissent: Towards Fuzzing-based Differential Black-box Testing of TLS Implementations. IEEE Transactions on Dependable and Secure Computing (2017).
[65]
F.Wang, J.Wu, Y. Nan, Y. Aafer, X. Zhang, D. Xu, and M. Payer. 2022. ProFactory: Improving IoT Security via Formalized Protocol Customization. In 31st USENIX Security Symposium.
[66]
R.-P. Weinmann. 2012. Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. In 6th USENIX Conference on Offensive Technologies.
[67]
H.Wen, Z. Lin, and Y. Zhang. 2020. Firmxray: Detecting Bluetooth Link Layer Vulnerabilities from Bare-Metal Firmware. In ACM SIGSAC Conference on Computer and Communications Security.
[68]
J. Wu, Y. Nan, V. Kumar, D. J. Tian, A. Bianchi, M. Payer, and D. Xu. 2020. BLESA: Spoofing Attacks Against Reconnections in Bluetooth Low Energy. In 14th USENIX Workshop on Offensive Technologies.
[69]
J. Wu, R. Wu, D. Xu, D. J. Tian, and A. Bianchi. 2022. Formal Model-driven Discovery of Bluetooth Protocol Design Vulnerabilities. In IEEE Symposium on Security and Privacy.
[70]
W. Xu, S. Kashyap, C. Min, and T. Kim. 2017. Designing New Operating Primitives to Improve Fuzzing Performance. In ACM SIGSAC conference on computer and communications security.
[71]
H. Yang, S. Bae, M. Son, H. Kim, S. M. Kim, and Y. Kim. 2019. Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE. In 28th USENIX Security Symposium.
[72]
Chijin Zhou, MingzheWang, Jie Liang, Zhe Liu, and Yu Jiang. 2020. Zeror: Speed up fuzzing with coverage-sensitive tracing and scheduling. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. 858--870.
[73]
C. Zuo, H. Wen, Z. Lin, and Y. Zhang. 2019. Automatic Fingerprinting of Vulnerable BLE IoT Devices with Static UUIDs from Mobile Apps. In ACM SIGSAC Conference on Computer and Communications Security.
Index Terms
- State Machine Mutation-based Testing Framework for Wireless Communication Protocols
Recommendations
Mutation Analysis for Testing Finite State Machines
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01Mutation analysis is a program testing method which seeds a fault in a program and tries to identify it with test data, thus promoting the test efficiency. The paper investigates the application of mutation analysis in model-based testing for the ...
Mutation Testing Framework for Ad-hoc Networks Protocols
2020 IEEE Wireless Communications and Networking Conference (WCNC)Computing networks integrate systems, services, and users around the world. Hundreds of protocols contribute to making such process flawless. A fault in protocol design or implementation can impact many users and interrupt their tasks’ workflows. ...
Prioritizing State-Based Aspect Tests
ICST '10: Proceedings of the 2010 Third International Conference on Software Testing, Verification and ValidationIn aspect-oriented programming, aspects are essentially incremental modifications to their base classes. Therefore aspect-oriented programs can be tested in an incremental fashion – we can first test the base classes and then test the base classes and ...
Comments
Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- NSF and Office of the Under Secretary of Defense- Research and Engineering
- NSF
- Defense Advanced Research Projects Agency
- State University of New York's Empire Innovation Program
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 149Total Downloads
- Downloads (Last 12 months)149
- Downloads (Last 6 weeks)40
Reflects downloads up to 20 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in