LIGHTBLUE: Automatic Profile-Aware Debloating of Bluetooth Stacks

The Bluetooth standard is ubiquitously supported by computers, smartphones, and IoT devices. Due to its complexity, implementations require large codebases, which are prone to security vulnerabilities, such as the recently discovered BlueBorne and BadBluetooth attacks. While defined by the standard, most of the Bluetooth functionality, as defined by different Bluetooth profiles, is not required in the common usage scenarios. Starting from this observation, we implement LIGHTBLUE, a framework performing automatic, profile-aware debloating of Bluetooth stacks, allowing users to automatically minimize their Bluetooth attack surface by removing unneeded Bluetooth features. LIGHTBLUE starts with a target Bluetooth application, detects the associated Bluetooth profiles, and applies a combination of control-flow and data-flow analysis to remove unused code within a Bluetooth host code. Furthermore, to debloat the Bluetooth firmware, LIGHTBLUE extracts the used Host Controller Interface (HCI) commands and patches the HCI dispatcher in the Bluetooth firmware automatically, so that the Bluetooth firmware avoids processing unneeded HCI commands. We evaluate LIGHTBLUE on four different Bluetooth hosts and three different Bluetooth controllers. Our evaluation shows that LIGHTBLUE achieves between 32% and 50% code reduction in the Bluetooth host code and between 57% and 83% HCI command reduction in the Bluetooth firmware. This code reduction leads to the prevention of attacks responsible for 20 known CVEs, such as BlueBorne and BadBluetooth, while introducing no performance overhead and without affecting the behavior of the debloated application.

[1]  Carl A. Gunter,et al.  Inside Job: Understanding and Mitigating the Threat of External Device Mis-Binding on Android , 2014, NDSS.

[2]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[3]  Jorge Blasco,et al.  A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape , 2018, USENIX Security Symposium.

[4]  Hashim Sharif,et al.  Trimmer: Application Specialization for Code Debloating , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[5]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[6]  Mathias Payer,et al.  BlueShield: Detecting Spoofing Attacks in Bluetooth Low Energy Networks , 2020, RAID.

[7]  Chenxiong Qian,et al.  RAZOR: A Framework for Post-deployment Software Debloating , 2019, USENIX Security Symposium.

[8]  Kevin R. B. Butler,et al.  LBM: A Security Framework for Peripherals within the Linux Kernel , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[9]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[10]  Mayur Naik,et al.  Effective Program Debloating via Reinforcement Learning , 2018, CCS.

[11]  Nils Ole Tippenhauer,et al.  BIAS: Bluetooth Impersonation AttackS , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[12]  Nils Ole Tippenhauer,et al.  The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR , 2019, USENIX Security Symposium.

[13]  Mathias Payer,et al.  BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy , 2020, WOOT @ USENIX Security Symposium.

[14]  Farhaan Fowze,et al.  FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution , 2017, CCS.

[15]  Jens Grossklags,et al.  Method Confusion Attack on Bluetooth Pairing , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[16]  Matthias Hollick,et al.  Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets , 2020, USENIX Security Symposium.

[17]  Matthias Hollick,et al.  InternalBlue - Bluetooth Binary Patching and Experimentation Framework , 2019, MobiSys.

[18]  Michalis Polychronakis,et al.  Configuration-Driven Software Debloating , 2019, EuroSec@EuroSys.

[19]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[20]  Zhou Li,et al.  BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals , 2019, NDSS.

[21]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.

[22]  Lok-Kwong Yan,et al.  Debloating Software through Piece-Wise Compilation and Loading , 2018, USENIX Security Symposium.

[23]  Long Lu,et al.  P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling (extended version) , 2019, USENIX Security Symposium.

[24]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[25]  Christopher Krügel,et al.  BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation , 2019, DIMVA.

[26]  Kang G. Shin,et al.  Protecting Privacy of BLE Device Users , 2016, USENIX Security Symposium.

[27]  Nils Ole Tippenhauer,et al.  Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy , 2020, ACM Trans. Priv. Secur..

[28]  Matthias Hollick,et al.  ToothPicker: Apple Picking in the iOS Bluetooth Stack , 2020, WOOT @ USENIX Security Symposium.

[29]  Zhiqiang Lin,et al.  FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware , 2020, CCS.