1、#BHAS BlackHatEvents Lidong Li&Kun Dong&Xiao Wang SourceGuard#BHAS BlackHatEvents About Us Lidong LiLidong Li:Source GuardChief Security Officer.Specializing in protocol vulnerability mining and Fuzzing framework development.He is the core developer of the Wisdom&Swift Fuzzer.HITB/POC/ISC SpeakerKun
2、 Dong:Kun Dong:Source GuardCEO.Ph.D.in Cybersecurity from Xidian University,specializing in chip security research and AI adversarial security research Xiao WangXiao Wang:Source GuardSenior Security Researcher.His expertise lies in vulnerability discovery within the realms of wireless protocols,incl
3、uding Bluetooth,Wi-Fi security.#BHAS BlackHatEvents Agenda Bluetooth protocol stack&state machine analysis The bottleneck of traditional TLV-format Fuzzing Disrupting the state machine to discover new Bluetooth vulnerabilities#BHAS BlackHatEvents#BHAS BlackHatEvents Bluetooth protocol stack&State ma
4、chine analysis#BHAS BlackHatEvents Bluetooth protocol stack&State machine analysis#BHAS BlackHatEvents#BHAS BlackHatEvents The bottleneck of traditional TLV-format fuzzing#BHAS BlackHatEvents The bottleneck of traditional TLV-format Fuzzing Random targeting of TLV without purpose Drivers inspection
5、and validation of malformed packets Non-purposeful(non-targeted)interaction packets Incomplete state machin e coverage#BHAS BlackHatEvents The bottleneck of traditional TLV-format Fuzzing CVE-2017-0781 CVE-2020-12351 CVE-2023-45866#BHAS BlackHatEvents#BHAS BlackHatEvents#BHAS BlackHatEventsDisruptin
6、g the state machine to discover new Bluetooth vulnerabilitiesFactors that affect state machine interactions?1.2.#BHAS BlackHatEventsDisrupting the state machine to discover new Bluetooth vulnerabilities1.L2CAP Connect Request2.L2CAP Connect Response 3.L2CAP Channel Configuration4.Data Transfer&Disco