Fuzz Testing of Zigbee Protocol Implementations

Abstract

In recent years, we have witnessed the increasing of the Internet of Things (IoT) devices deployed by many areas, such as home automation, healthcare, manufacture, and smart vehicle. Among the numerous IoT wireless standards available, Zigbee stands out as one of the most globally popular choices, with major companies like Amazon, Samsung, IKEA, Huawei, and Xiaomi incorporating it into their products. Notably, Zigbee has even been utilized in NASA's Mars mission, where it serves as the communication radio between the flying drone and the Perseverance rover.

However, with the rapid growth of Zigbee's global market presence, the incentive for cyber criminal attacks has also escalated. Recent incidents have highlighted severe vulnerabilities in Zigbee protocol implementations, compromising IoT devices from multiple manufacturers. Consequently, conducting security testing on Zigbee protocol implementations has become an imperative task. Nevertheless, applying existing vulnerability detection techniques like fuzzing and data flow analysis to Zigbee protocols is nontrivial, especially when dealing with vendor-specific requirements and low-level hardware events. Additionally, many existing protocol fuzzing tools lack an appropriate execution environment for Zigbee, as it relies on radio communication rather than internet connectivity.

This dissertation aims to address the aforementioned gaps by proposing comprehensive fuzzing solutions tailored to the security testing of Zigbee protocol implementations. The goal is to assist IoT application manufacturers and protocol vendors in mitigating security risks during their development process. The dissertation makes the following contributions: (i) Z-Fuzzer: A device-agnostic fuzzing platform that utilizes code coverage feedback to detect security issues of the Zigbee protocol implementations. (ii) TaintBFuzz: An intelligent Zigbee protocol fuzzing solution via constraint-field dependency inference. (iii) CT-BFuzz: A fuzzing platform with combinatorial approach of Zigbee protocol implementation.

This dissertation is presented in a monograph based format and includes three research articles. The first article introduces our work of Z-Fuzzer that is the first device-agnostic fuzzing tool making fuzzing applicable to detect security problems of Zigbee protocol implementation. The second article reports the work of TaintBFuzz that uses constraint-field dependency inference to augment test input mutation in fuzzing Zigbee protocol implementation. The third article presents CT-BFuzz that optimizes the Zigbee protocol fuzzing via combinatorial test generation to generate test cases for efficiently covering combination values of important message fields. The first two papers have been accepted at peer-reviewed venues, while the third one is currently in press.