Formal Model-Driven Discovery of Bluetooth Protocol Design Vulnerabilities

Formal Model-Driven Discovery of Bluetooth Protocol Design Vulnerabilities

The Bluetooth protocol suite, including Bluetooth Classic, Bluetooth Low Energy, and Bluetooth Mesh, has become the de facto standard for short-range wireless communications. While formal methods have been applied to Bluetooth security, existing efforts either focus on one configuration of a protoco...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Wu, Jianliang, Wu, Ruoyu, Xu, Dongyan, Tian, Dave Jing, Bianchi, Antonio
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Analytical models
BLE
Bluetooth
Data models
Formal-Methods
Manuals
Mesh
Privacy
Protocols
Specifications
Vulnerability-Discovery
Wireless communication
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 2303
container_issue
container_start_page 2285
container_title
container_volume
creator Wu, Jianliang
Wu, Ruoyu
Xu, Dongyan
Tian, Dave Jing
Bianchi, Antonio
description The Bluetooth protocol suite, including Bluetooth Classic, Bluetooth Low Energy, and Bluetooth Mesh, has become the de facto standard for short-range wireless communications. While formal methods have been applied to Bluetooth security, existing efforts either focus on one configuration of a protocol or one protocol of the suite, without considering other configurations or interactions among protocols. As a result, manual analysis still dominates the state-of-the-art security research of Bluetooth specification. To enable automatic Bluetooth security analysis with formal guarantees, we propose a comprehensive formal model for Bluetooth protocol suite covering both the key sharing phase and the data transmission phase, in all the three Bluetooth protocols, and detecting their design flaws automatically. Our formal model, written in ProVerif, adopts a modular design by abstracting each step within a protocol into an interface and implementing different methods in each step as modules to instantiate the interface, through which all possible configurations of a protocol could be examined. We further abstract different Bluetooth protocols into modules enabling the modeling of their interactions and relax the threat model to allow reasoning about semi-compromised devices. We use this model to formally verify 418 security properties and find 82 violations with attack examples capturing 5 known vulnerabilities and discovering 2 new security issues. Bluetooth SIG confirmed our independent discovery of these 2 new issues, with one issue assigned a CVE and the other issue acknowledged in a security notice. Our model provides one step towards formally verified Bluetooth security.
doi_str_mv 10.1109/SP46214.2022.9833777
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_RIE</sourceid><recordid>TN_cdi_ieee_primary_9833777</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9833777</ieee_id><sourcerecordid>9833777</sourcerecordid><originalsourceid>FETCH-LOGICAL-c169t-aa6ba3b3e41a55cd0ea48305bc9e4615365e5e96d2c36b467029a8f2136e9fe63</originalsourceid><addsrcrecordid>eNotj0tOwzAUAA0SEqX0BLDwBRJsP3_iJTS0gIqoxGdbOckLGLkxstNKvT1IdDW70Qwh15yVnDN787qWWnBZCiZEaSsAY8wJmVlTca2V5MC1PSUTAUYVXDBzTi5y_mZMMLByQp4WMW1doM-xw1DUye9xoLXPbdxjOtDY07uwwzHG8YuuUxxjGwOtMfvPgX7swoDJNT740WO-JGe9CxlnR07J--L-bf5QrF6Wj_PbVdH-pYyFc7px0ABK7pRqO4ZOVsBU01qUmivQChVa3YkWdCO1YcK6qhccNNoeNUzJ1b_XI-LmJ_mtS4fNcR1-AQdbTfE</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Formal Model-Driven Discovery of Bluetooth Protocol Design Vulnerabilities</title><source>IEEE Electronic Library (IEL)</source><creator>Wu, Jianliang ; Wu, Ruoyu ; Xu, Dongyan ; Tian, Dave Jing ; Bianchi, Antonio</creator><creatorcontrib>Wu, Jianliang ; Wu, Ruoyu ; Xu, Dongyan ; Tian, Dave Jing ; Bianchi, Antonio</creatorcontrib><description>The Bluetooth protocol suite, including Bluetooth Classic, Bluetooth Low Energy, and Bluetooth Mesh, has become the de facto standard for short-range wireless communications. While formal methods have been applied to Bluetooth security, existing efforts either focus on one configuration of a protocol or one protocol of the suite, without considering other configurations or interactions among protocols. As a result, manual analysis still dominates the state-of-the-art security research of Bluetooth specification. To enable automatic Bluetooth security analysis with formal guarantees, we propose a comprehensive formal model for Bluetooth protocol suite covering both the key sharing phase and the data transmission phase, in all the three Bluetooth protocols, and detecting their design flaws automatically. Our formal model, written in ProVerif, adopts a modular design by abstracting each step within a protocol into an interface and implementing different methods in each step as modules to instantiate the interface, through which all possible configurations of a protocol could be examined. We further abstract different Bluetooth protocols into modules enabling the modeling of their interactions and relax the threat model to allow reasoning about semi-compromised devices. We use this model to formally verify 418 security properties and find 82 violations with attack examples capturing 5 known vulnerabilities and discovering 2 new security issues. Bluetooth SIG confirmed our independent discovery of these 2 new issues, with one issue assigned a CVE and the other issue acknowledged in a security notice. Our model provides one step towards formally verified Bluetooth security.</description><identifier>EISSN: 2375-1207</identifier><identifier>EISBN: 9781665413169</identifier><identifier>EISBN: 1665413166</identifier><identifier>DOI: 10.1109/SP46214.2022.9833777</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>Analytical models ; BLE ; Bluetooth ; Data models ; Formal-Methods ; Manuals ; Mesh ; Privacy ; Protocols ; Specifications ; Vulnerability-Discovery ; Wireless communication</subject><ispartof>2022 IEEE Symposium on Security and Privacy (SP), 2022, p.2285-2303</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c169t-aa6ba3b3e41a55cd0ea48305bc9e4615365e5e96d2c36b467029a8f2136e9fe63</citedby></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9833777$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,777,781,786,787,793,27906,54739</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/9833777$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Wu, Jianliang</creatorcontrib><creatorcontrib>Wu, Ruoyu</creatorcontrib><creatorcontrib>Xu, Dongyan</creatorcontrib><creatorcontrib>Tian, Dave Jing</creatorcontrib><creatorcontrib>Bianchi, Antonio</creatorcontrib><title>Formal Model-Driven Discovery of Bluetooth Protocol Design Vulnerabilities</title><title>2022 IEEE Symposium on Security and Privacy (SP)</title><addtitle>SP</addtitle><description>The Bluetooth protocol suite, including Bluetooth Classic, Bluetooth Low Energy, and Bluetooth Mesh, has become the de facto standard for short-range wireless communications. While formal methods have been applied to Bluetooth security, existing efforts either focus on one configuration of a protocol or one protocol of the suite, without considering other configurations or interactions among protocols. As a result, manual analysis still dominates the state-of-the-art security research of Bluetooth specification. To enable automatic Bluetooth security analysis with formal guarantees, we propose a comprehensive formal model for Bluetooth protocol suite covering both the key sharing phase and the data transmission phase, in all the three Bluetooth protocols, and detecting their design flaws automatically. Our formal model, written in ProVerif, adopts a modular design by abstracting each step within a protocol into an interface and implementing different methods in each step as modules to instantiate the interface, through which all possible configurations of a protocol could be examined. We further abstract different Bluetooth protocols into modules enabling the modeling of their interactions and relax the threat model to allow reasoning about semi-compromised devices. We use this model to formally verify 418 security properties and find 82 violations with attack examples capturing 5 known vulnerabilities and discovering 2 new security issues. Bluetooth SIG confirmed our independent discovery of these 2 new issues, with one issue assigned a CVE and the other issue acknowledged in a security notice. Our model provides one step towards formally verified Bluetooth security.</description><subject>Analytical models</subject><subject>BLE</subject><subject>Bluetooth</subject><subject>Data models</subject><subject>Formal-Methods</subject><subject>Manuals</subject><subject>Mesh</subject><subject>Privacy</subject><subject>Protocols</subject><subject>Specifications</subject><subject>Vulnerability-Discovery</subject><subject>Wireless communication</subject><issn>2375-1207</issn><isbn>9781665413169</isbn><isbn>1665413166</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2022</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotj0tOwzAUAA0SEqX0BLDwBRJsP3_iJTS0gIqoxGdbOckLGLkxstNKvT1IdDW70Qwh15yVnDN787qWWnBZCiZEaSsAY8wJmVlTca2V5MC1PSUTAUYVXDBzTi5y_mZMMLByQp4WMW1doM-xw1DUye9xoLXPbdxjOtDY07uwwzHG8YuuUxxjGwOtMfvPgX7swoDJNT740WO-JGe9CxlnR07J--L-bf5QrF6Wj_PbVdH-pYyFc7px0ABK7pRqO4ZOVsBU01qUmivQChVa3YkWdCO1YcK6qhccNNoeNUzJ1b_XI-LmJ_mtS4fNcR1-AQdbTfE</recordid><startdate>202205</startdate><enddate>202205</enddate><creator>Wu, Jianliang</creator><creator>Wu, Ruoyu</creator><creator>Xu, Dongyan</creator><creator>Tian, Dave Jing</creator><creator>Bianchi, Antonio</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>202205</creationdate><title>Formal Model-Driven Discovery of Bluetooth Protocol Design Vulnerabilities</title><author>Wu, Jianliang ; Wu, Ruoyu ; Xu, Dongyan ; Tian, Dave Jing ; Bianchi, Antonio</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c169t-aa6ba3b3e41a55cd0ea48305bc9e4615365e5e96d2c36b467029a8f2136e9fe63</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Analytical models</topic><topic>BLE</topic><topic>Bluetooth</topic><topic>Data models</topic><topic>Formal-Methods</topic><topic>Manuals</topic><topic>Mesh</topic><topic>Privacy</topic><topic>Protocols</topic><topic>Specifications</topic><topic>Vulnerability-Discovery</topic><topic>Wireless communication</topic><toplevel>online_resources</toplevel><creatorcontrib>Wu, Jianliang</creatorcontrib><creatorcontrib>Wu, Ruoyu</creatorcontrib><creatorcontrib>Xu, Dongyan</creatorcontrib><creatorcontrib>Tian, Dave Jing</creatorcontrib><creatorcontrib>Bianchi, Antonio</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Wu, Jianliang</au><au>Wu, Ruoyu</au><au>Xu, Dongyan</au><au>Tian, Dave Jing</au><au>Bianchi, Antonio</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Formal Model-Driven Discovery of Bluetooth Protocol Design Vulnerabilities</atitle><btitle>2022 IEEE Symposium on Security and Privacy (SP)</btitle><stitle>SP</stitle><date>2022-05</date><risdate>2022</risdate><spage>2285</spage><epage>2303</epage><pages>2285-2303</pages><eissn>2375-1207</eissn><eisbn>9781665413169</eisbn><eisbn>1665413166</eisbn><coden>IEEPAD</coden><abstract>The Bluetooth protocol suite, including Bluetooth Classic, Bluetooth Low Energy, and Bluetooth Mesh, has become the de facto standard for short-range wireless communications. While formal methods have been applied to Bluetooth security, existing efforts either focus on one configuration of a protocol or one protocol of the suite, without considering other configurations or interactions among protocols. As a result, manual analysis still dominates the state-of-the-art security research of Bluetooth specification. To enable automatic Bluetooth security analysis with formal guarantees, we propose a comprehensive formal model for Bluetooth protocol suite covering both the key sharing phase and the data transmission phase, in all the three Bluetooth protocols, and detecting their design flaws automatically. Our formal model, written in ProVerif, adopts a modular design by abstracting each step within a protocol into an interface and implementing different methods in each step as modules to instantiate the interface, through which all possible configurations of a protocol could be examined. We further abstract different Bluetooth protocols into modules enabling the modeling of their interactions and relax the threat model to allow reasoning about semi-compromised devices. We use this model to formally verify 418 security properties and find 82 violations with attack examples capturing 5 known vulnerabilities and discovering 2 new security issues. Bluetooth SIG confirmed our independent discovery of these 2 new issues, with one issue assigned a CVE and the other issue acknowledged in a security notice. Our model provides one step towards formally verified Bluetooth security.</abstract><pub>IEEE</pub><doi>10.1109/SP46214.2022.9833777</doi><tpages>19</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 2375-1207
ispartof 2022 IEEE Symposium on Security and Privacy (SP), 2022, p.2285-2303
issn 2375-1207
language eng
recordid cdi_ieee_primary_9833777
source IEEE Electronic Library (IEL)
subjects Analytical models
BLE
Bluetooth
Data models
Formal-Methods
Manuals
Mesh
Privacy
Protocols
Specifications
Vulnerability-Discovery
Wireless communication
title Formal Model-Driven Discovery of Bluetooth Protocol Design Vulnerabilities
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-20T22%3A15%3A46IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Formal%20Model-Driven%20Discovery%20of%20Bluetooth%20Protocol%20Design%20Vulnerabilities&rft.btitle=2022%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20(SP)&rft.au=Wu,%20Jianliang&rft.date=2022-05&rft.spage=2285&rft.epage=2303&rft.pages=2285-2303&rft.eissn=2375-1207&rft.coden=IEEPAD&rft_id=info:doi/10.1109/SP46214.2022.9833777&rft_dat=%3Cieee_RIE%3E9833777%3C/ieee_RIE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9781665413169&rft.eisbn_list=1665413166&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=9833777&rfr_iscdi=true