A Novel Fuzzing Method for Zigbee Based on Finite State Machine

. Accordingtoearliertestrecords,themajorityofdefectswereexposedduetoaseriesoftestingcases.However,thecontextof malformedinputsisnottakenaccountintothepreviousalgorithms.Inthispaper,weproposearefinedstructure-basedfuzzing algorithmforZigbeebasedonFSM,FSM-fuzzing.AnymalformedinputinFSM-Fuzzingisinjectedtothetestedsensoragainsta specificinitialstate.IfthesensortransferredtothenextstateofFMSorcrashed,therewouldbeadefectofZigbeeindealingwith theinputunderthestate.ThefinalstateofthesensorisverifiedbyanUIOsequence.Afteraroundoftests,thesensorisregressed tothespecificstatetopreparsforreceivingthenextmutation.AllofthestateswouldbetraversedinFSM-fuzzing.Afuzzingtool, ZFSM-fuzzer,isdesignedforevaluatingtheperformanceofFSM-fuzzing.Experimentresultsshowthatthereisavulnerabilityof Zigbeeindealingwiththeframeswithoutdestinationaddresses.Further,thequalityofcasesofFSM-fuzzingishigherthanthe previousalgorithms.Therefore,FSM-fuzzingispowerfulinfindingthevulnerabilitiesofZigbee.


Introduction
Zigbee attracts much attention in recent years due to the growth of the demand for low power consumption [1]. Therefore, Zigbee sensors are lightweight with slow operation speed and low storage ability. Moreover, the sensors are usually deployed in the outside [2]. As a result, Zigbee networks are faced with multiple attacks, such as data monitor, data tampering, and Denial of Service (DoS) attack [3].
Some bodies of literature focused on the security analysis and the security framework of Zigbee. They proposed key management schemes for encrypting data and identifying impersonated nodes with low cost [4]. They also proposed privacy protection schemes [5] and security routing protocols [6] to enhance the security of Zigbee networks. The previous research result shows that there are several vulnerabilities with Zigbee protocol, which would lead to the jamming or even crashing of the networks. Thus, mining the potential defects of Zigbee and refining them are important for the security of networks.
Fuzzing test is widely used in finding defections of network protocols and file applications [7]. Fuzzing test is implemented by injecting malformed testing cases to the target system and detecting the operation status of the target [8,9]. If the target system crashed, there may be vulnerability in it. Previously, the test cases of fuzzing test were generated in the random algorithm. Time cost and resource cost of random fuzzing test are both huge. Furthermore, little defects are exposed in this way. Some researchers proposed testing cases generation algorithms in different ways for improving the efficiency of fuzzing test. The general refined fuzzing algorithms are structure-based algorithm [10], key-field-based algorithm [11], and boundary-based algorithm [12]. However, the relationship between testing cases and the transformation of operation state of the target system are not taken into account in the refined algorithms. And several vulnerabilities are exposed owing to the interaction between special states and particular testing cases. For these reasons, a refined fuzzing algorithm based on state transferring is proposed.
In this paper, we present a refined algorithm for generating fuzzing test cases for Zigbee, FSM-fuzzing. It combines finite state machine (FSM) with structure-based fuzzing algorithm according to MAC protocol of Zigbee. The sensors 2 International Journal of Distributed Sensor Networks transfer from one state to another in line with Zigbee on working. Before checking the defects of Zigbee in one process, FSM-fuzzing makes the tested sensor work in the previous state. Then a test case against the state transferring process which is semicompliance with the frame construction rules of Zigbee is sent to the target sensor. If the semicompliance case makes the sensor transfer to the next state successfully or makes the sensor or network crash, there may be vulnerability in Zigbee or stack. The unique input and output (UIO) sequence is used for checking the state of the target sensor after dealing with the test case. Finally, the test sequences are regressed to the initial state by regression process so that FSM-fuzzing can implement the next round of test. Regression process improves the automation level of FSM-fuzzing.
In order to verify the advantage of FSM-fuzzing in finding potential defects, a fuzzing framework named ZFSM-fuzzer is designed. ZFSM-fuzzer is implemented on Z-Stack which is a widely used Zigbee stack. In this paper, we take the process of connection and disconnection as an example to verify the usability of FSM-Fuzzing. Experiment results show that there is an abnormality of Z-Stack in dealing with a kind of malformed packets that don not contain the destination address. A series of performance tests are also implemented among random-based algorithm, structurebased algorithm, and FSM-fuzzing. Compared with randombased algorithm, the scale of testing cases and time cost of FSM-fuzzing is greatly reduced. Compared with structurebased algorithm, the quality of test cases of FSM-fuzzing is higher. In addition, it is easier for FSM-fuzzing to locate the reasons of vulnerabilities than structure-bases algorithm.
The rest of this paper is organized as follows. Section 2 introduces some related works in the security of Zigbee. Section 3 describes the theory of FSM and the main idea of FSM-fuzzing. Section 4 presents the framework of ZFSMfuzzer. After designing the topology of tested network, experiments are conducted and the results are shown in Section 5. Finally, we conclude this paper and point out the future work in Section 6.

Related Work
The attributes of poor storage ability and low computing capacity lead to vulnerability of Zigbee networks. The threats against Zigbee networks can be divided into six classifications: attacks against data privacy, DoS attacks, node compromise, side-channel attacks, impersonation attacks, and protocol-specific [13]. These threats may lead to disclosure of sensitive data, increasing of network load, or even communications blocking.
In order to resist primary attacks, four kinds of security services are ordered by the MAC layer of Zigbee.
(i) Data encryption: the payload of MAC frame can be encrypted in AES, if the security bit is set to 1 in the frame control field of the MAC frame. There are three encryption modes offering different levels, which are AES-CTR, AES-CBC-MAC, and AES-CCM [14,15].
(ii) Data freshness: every frame owns an increasing sequence number in the head of MAC frame. The receiver checks the freshness of the sequence number. This measure is against reply attacks and data forgery. (iii) Frame check sequence (FCS): there is FCS occupying two bytes at the end of MAC frame. The sequence is unique for each frame. If the FCS does not match with the frame, the frame is probably tampered with by attackers during transmission. (iv) Access control list (ACL): it is an optional security service on MAC layer. The upper layer of MAC maintains a list of authentic nodes. If the access control service is started, the sensor will reject all data from unauthentic sensors [16].
Some researchers paid attention to other schemes to enhance the security of wireless sensor network (WSN) including Zigbee. Mogre et al. [17] researched the security requirement of WSNs and proposed a security framework. They declared that the security of WSN depended on the comprehensive detection of misbehavior, security routing protocol, and reputation management. McCusker and O'Connor [18] presented a symmetric key distribution scheme for WSN. The scheme met the strict energy constraint through porting the pairing component to hardware. Karlof and Wagner [19] summarized the threats against routing protocols, such as selective forwarding, Sybil attacks and wormholes, and suggested countermeasures.
Some researchers also focused on finding vulnerabilities of protocol of WSN. Shin Jung et al. [20] found a defect of Zigbee in beacon networks. The coordinator would not verify the real identity of a node with an authentic ID in a GTS request. The requests from the legitimated nodes would be ignored if the attackers cloned large scale of legal nodes and sent GTS requests. DoS attack was achieved.
In order to increase the automation level of vulnerability mining, fuzzing was introduced by Mendonça and Neves [12] to test Wi-Fi, which was early used in finding defects of wire network protocols. Lahmadi et al. [21] also applied fuzzing on discovering vulnerabilities in 6LoWPAN networks and designed a testing framework. Peng et al. [22] firstly designed architecture for fuzzing test on MAC layer of Zigbee, called ZBCBT.
However, testing cases are generated in random-based algorithm in black-box Fuzzing test. The time cost and resource cost of random fuzzing test are huge. Therefore, improving the efficiency of Fuzzing test for WSN protocols becomes a hot area. Peng et al. proposed a refined algorithm, ZBCA, employed in ZBCBT to generate fuzzing test cases. The subfields of the cases in ZBCA were set with the boundary value so that the probability of exposing vulnerabilities was increased. A vulnerability of Zigbee that would lead to the dissociation between end devices and coordinators was also presented. Cui et al. [23] also proposed a refined fuzzing algorithm based on node clone.
Research results show that the vulnerabilities ordinarily expose in the special state. However, the state transferring of the tested nodes is not taken into account in the above refined algorithms. Several abnormalities in deep paths are not exposed. Therefore, a refined fuzzing algorithm based on FSM is proposed to deal with the problem in this paper.

FSM-Fuzzing
Fuzzing test is a frequently used technique for finding vulnerabilities of protocols and programs. It makes exceptions exposed by inserting specific inputs like malformed data or faults into the target system which is monitored by testers simultaneously [24]. Fuzzing test was first proposed by Miller et al. [25] for finding vulnerabilities of UNIX programs in 1990. This test tool generated a battery of inputs randomly and inserted them into the applications, which then caused more than 24% of applications to crash [7]. However randombased algorithm which generates a huge number of test cases is inefficient. In order to reduce the number of invalid test cases and improve the path coverage of target system, smart fuzzing testing frameworks were proposed. At present, for various applications and protocols, corresponding fuzzing testing tools can be used. For example, COMRaider and AxMan [26] are designed for ActiveX controls, as well as SPIKE [27] for network protocols and Peach [28] for files and protocols.
In this section, we propose a refined fuzzing algorithm for Zigbee, FSM-fuzzing. The algorithm is based on the theory of FSM. The testing object in this method is the state transition of the tested sensor. Before sending malformed inputs, the tested sensor is changed to an initial state. Through verifying the final state by the UIO sequence, defects of the tested stack can be found. If the sensor transfers to the next state successfully or even the sensor is out of work, there would be a defect in dealing with the kind of mutations.

Finite State Machine (FSM).
The essence of protocol is that the sensors transfer from one state to another complying with the rules. FSM is widely used in describing state migration of sensors by a digraph [29]. A FSM M is a 5-tuple = ( , , , , ), where At any moment, FSM can only work on one state in . The digraph = ( , ) can be determined by FSM of the protocol. All of the states are taken as the vertices in and the transferring of states is a directed arc. An example of is shown in Figure 1. The purpose of building FSM is getting the testing sequences according to the state migration digraph . There are four general methods of generation testing sequences based on FSM, that is, transition tour method (T method), distinguishing sequences method (D method), charactering sequences method (W method), and unique input/output (UIO) sequences method (U method) [30].
is assumed as the UIO sequence of . exists if and only if the output of under is different from the output of any state under , (1) The UIO sequence of is represented by UIO( ). UIO sequence is widely used for verify the current state of FSM. The state of FSM can be sure only if there is an UIO sequence under the state.

FSM-Fuzzing for
Zigbee. FSM-fuzzing is a refined fuzzing algorithm for Zigbee based on FSM. The main idea of FSM-fuzzing is making the tested nodes work on a special state before injecting a malformed frame to it. Therefore, the process of FSM-fuzzing can be conducted as follows.
(i) Create FSM for each process of Zigbee [31] and draw the state transition diagram [32]. Each arc of the diagram is treated as a test object. If the sensor successfully achieves the transition or crashes under a malformed input, vulnerability is exposed.
(ii) Obtain the UIO sequence of each state. The malformed input and the UIO sequence of the next state form the testing sequence against one arc. The UIO sequence is used for verifying the current state of the sensor.
(iii) Implement regression process. Reset the sensor into the previous state so that the next malformed input can be directly injected into it. The regression sequence is also a part of the testing sequence against the migration.
(iv) Generate a set of malformed inputs for the migration in structure-based algorithm. The set is the negation of the normal inputs.   Sending association request and receiving ACK and the response of failure association or waiting timeout Tr 4 Sending disassociation request and receiving ACK Table 3: Set of arcs.
Title Arc According to IEEE 802.15.4, the state transition on the MAC layer of Zigbee can be divided into twelve processes as shown in Figure 2.
The process of association and disassociation is the most simple among the processes. In this part, it is taken as an example to explain FSM-fuzzing. The process of connection and disconnection is shown in Figure 3.

Creating FSM.
The states of the tested protocol in the process of connection and disconnection are listed in Table 1.
The inputs of state transitions are shown in Table 2. They are described in the angle of the testing system. The state transition digraph is shown in Figure 4. The set of the arcs is shown in Table 3.

3.2.2.
Obtaining UIO Sequence. The digraph of association and disassociation is simple. Therefore, the UIO sequence of each state can be obtained manually. The shortest UIO sequences are listed in Table 4. A sequence is represented by a 3-tuple:   where presents the verified state. presents the final state due to the unique input. Tr presents the unique input sequences.
The input subsequence for testing each transition in FSM-fuzzing is shown in Table 5. The transition function is represented by ( , , ; Tr ). presents the initial state of the tested transition.
presents the next state of the tested transition.
presents the terminal state under the UIO sequence. Tr presents the type of malformed inputs for fuzzing test.

Regression Process.
A transition is tested repeatedly by the malformed inputs in FSM-fuzzing. Therefore, it is necessary to implement regression process. Before implementing the new round of fuzzing test, the tested sensor is set into the initial state of the tested transition from 1 . After implementing the round, the tested sensor should be set into the initial state of the stack 1 . The whole input regression for each transition is shown in Table 6.

Mutation of Data.
There are a series of filter rules to verify the legality of frames on the MAC layer of Zigbee. Most of the testing cases generated in structure-based algorithm are in compliance with the rules. Therefore, FSM-fuzzing is deployed with structure-based algorithm to generate the malformed inputs.
The set of the malformed inputs is the negation of the normal inputs. Except the field of command type, the other fields are fuzzing in structure-based algorithm. The pseudo code of generation malformed Tr 1 is listed in Pseudocode 1.
The pseudocode of generation malformed Tr 2 is listed in Pseudocode 2.   The process of generation malformed Tr 4 is listed in Pseudocode 3.

ZFSM-Fuzzer
ZFSM-fuzzer is a fuzzing tool for Zigbee that is deployed with FSM-fuzzing. It consists of two parts as shown in Figure 5. The two parts are fuzzing-controller and fuzzing-executer.
Fuzzing-controller is working on a personal computer (PC). It orders graphical interface for user to control the address of the tested node and the beginning of fuzzing test. It also presents testing results on the interface timely. Fuzzingexecuter is working on a Zigbee sensor. It implements a test according to the command from fuzzing-controller. Another duty of this section is listening for communications and transporting the packets to fuzzing-controller for further analyzing.

Fuzzing-Controller.
Fuzzing-controller is designed for comfortably controlling the beginning and the end of fuzzing test. FSM-fuzzing is deployed on it. The testing sequences for fuzzing including the malformed inputs are also generated by this module. Therefore, the burden of fuzzing-Executer is reduced and the rate of injecting testing cases is improved.
Fuzzing-controller is divided into seven sections. UI controller is the top module of fuzzing-controller. It offers the interface for users to configure the parameters of fuzzing, such as the modes of the source address and the destination address, the address of ZFSM-fuzzer and the address of the tested node, and so on. The system also presents the state of the tested node in / last field. The interface of ZFMS-fuzzer is shown in Figure 6.
Packet definer is a text file that describes the theory of Zigbee. The structure of the frame and the flows of communications are both defined in it. Testers create FSM of Zigbee according to the definer.
Packet generator is the core module of ZFSM-fuzzing. The testing sequences and the value of the subfields of each case are calculated in this part. The type of testing and the key parameters of the tested network are obtained from the UI controller.
After producing the testing cases, the packet controller informs the serial port controller to send the cases to fuzzingexecuter.
The serial port controller deals with the events of the serial port. The controller is in charge of transporting the testing cases to the Zigbee node. It also receives the packets from a sniffer through another serial port and delivers them upper.
The responsibility of packet analyst is analyzing the binary data coming from the serial port according to IEEE 802.15.4.
The analytical results are submitted further to packet decoder. The part picks up the abnormal behavior of the tested network based on packet definer and generates a testing report.

Fuzzing-Executer.
Fuzzing-executer is deployed on the Zigbee nodes. The function of the part is lightweight owing to fuzzing-controller. The primary responsibility of it is injecting testing cases to the tested sensor.
There is a module working on application layer (APL) receiving data from fuzzing-controller. These packets are directly sent to the tested node after setting the FCS.
There is another Zigbee node deployed with fuzzing-Executer. The node plays the role of listener in the network. It is set in the mode of promiscuous mode and captures the packets in the network. The packets are delivered to fuzzingcontroller through the serial port either. Figure 7 shows the basic network topology for implementing fuzzing test with ZFSM-fuzzer.

Topology.
It needs three Zigbee sensor nodes for implementing the test. One of them is the tested node. And the other two nodes are deployed with ZFSM-fuzzing. One plays as the listener and another is the executer. They both communicate with  a computer through a serial port. The IEEE address of the three nodes is listed in Table 7. The type of the nodes is CC2530 produced by Texas Instruments (TI) and the stack employed on the chips is Z-Stack.

Fuzzing
Test. The process of association and disassociation is taken for example as the tested object. The rules of mutating inputs under each state are described in Table 8. The state transition from 2 to 1 is hard to implement in experiment. Therefore, the rules of Tr 3 are not included in the table.
The testing report of fuzzing-controller showed that there were four times abnormal state transition in the fuzzing test. All of the malformed inputs in the four rounds lead to the state transition from 2 to 3 defined in Figure 4. The detail of the four mutations is presented in Table 9. The same point of the four inputs is that the destination addresses are not included in them. Therefore, there may be vulnerability of Z-Stack in dealing with the packets without destination addresses under the state of 2 .

Performance Test.
There are four parameters being used for describing performance of Fuzzing test, which are the total number of testing cases, the rate of VS-Cases, redundant rate of testing cases, and the valid rate of the testing cases.
The valid rate of testing cases is calculated based on the rate of VS-Cases and redundant rate of testing cases. The quality of the cases can be described by it in quantitative. The higher the valid rate of the algorithm is, the higher quality of testing cases generated by the algorithm is. In this part, random-based algorithm, structure-based algorithm, and FSM-fuzzing are compared in the four ways.

The Amount of Testing Cases.
For a long time, reducing the number of cases in random-based algorithm has become the primary goal of proposing a refined algorithm.
Structure-based algorithm is an example. The key fields such as frame type, addresses, and payload of MAC are specified according the filter rules. The mutated subfield occupies 1 byte in a frame. Therefore, the amount of testing cases covering all possibility is little.
FSM-fuzzing is refined based on structure-based algorithm. Therefore, the number of testing sequences is equal to the amount in structure-based algorithm.
In comparison, the number of Fuzzing test cases in the three algorithms is separately recorded and shown in Figure 8. Abscissa presents the length of the cases . Ordinate presents the amount of testing cases . The three curves in the figure belong to the three algorithms separately.
It is obvious that the curve of random-based algorithm exponentially rises. The scale of testing cases in it is the largest among the three algorithms. The amount of structure-bases algorithm is fixed with the increasing of length. The amount of FSM-fuzzing is almost 4 times more than the amount in structure-based algorithm. The multiple is related to process of UIO verifying and regression. Statistical results show that nearly 3 additional inputs are needed in order to inject one malformed case.

The Rate of VS-Cases.
In previous fuzzing tests, reasons for vulnerabilities were hard to locate because the state of sensors was not within the scope of monitoring. Furthermore, the vulnerabilities are always exposed owing to a specific previous state. Therefore, implementing the fuzzing test against a specific state is a solution for locating the reasons for vulnerabilities. However, the abnormal inputs may lead the sensor transfering to an unknown state. Although a defect is exposed during a later test, the previous sensor is also unknown. It is knocked into the previous problem. The rate of VS-Cases is proposed for describing the valid rate of cases in exposing vulnerability. VS-Case presents the cases generated under a valid state that is specified by testers. For example, 2 is the specific valid state. The purpose of the fuzzing test is finding the vulnerabilities of the sensor in dealing with abnormal inputs under 2 . Only the cases generated under 2 are VS-Cases. Some of the fuzzing cases may make the sensor transfer from  2 to the other states. Until the sensor transfers to 2 again, the cases generated by fuzzer are invalid.
The comparison of random-based algorithm, structurebased algorithm, and FSM-fuzzing is shown in Figure 9. Abscissa presents the amount of testing cases . Ordinate presents the amount of VS-Cases VS .
According to the testing result, almost 100% of the cases in random-based algorithm are VS-Cases. The vulnerabilities exposed in this method are analyzed.
After a long period of tests, the probability of state transition owing to a testing case in structure-based algorithm is 5%. It nearly needs 15 cases to make the sensor transform to other states in the first time. For this reason, the curve of the structure-based algorithm is almost a constant equal to 15.
The rate of VS-Cases of FSM-fuzzing is nearly equal to 15%. The malformed cases generated by FSM-fuzzing are  Random-based algorithm Structure-based algorithm FSM-fuzzing  against the tested state. The non-VS-Cases include UIO cases and regression cases. The result is a match with the previous experiment result.  Figure 10. In this coordinate, abscissa presents the amount of cases and ordinate presents the amount of redundant cases .

Redundant
Almost 100% of the cases generated by random-based algorithm are redundant. The amount of structure-based algorithm is the least. Because all of the cases generated in this method are strictly complied with the filter rules. The redundant rate of FSM-fuzzing is 10% lower than randombased algorithm for the reason that most of the malformed   inputs are failure in making the tested sensor transform from one state to another and the contribution of UIO sequences and regression sequences is little. The cases of UIO sequences and regression sequences devote a lot in increasing the rate of redundant cases.

Valid Rate of Testing Cases.
Valid rate of testing cases is a comprehensive parameter to evaluate the quality of the cases generated by a fuzzing algorithm. It is commonly determined by the rate of VS-Cases and redundant rate of testing cases. The formula of valid rate is Therefore, the number of valid packets is The number of valid packets of the three algorithms is shown in Figure 11. Abscissa presents the amount of cases and ordinate presents the amount of valid cases .
International Journal of Distributed Sensor Networks

11
Although the rate of VS-Cases of random-based algorithm reaches 100%, the comprehensive valid rate of it is nearly 0. The efficiency of random-based is extremely poor.
The number of valid cases of structure-based algorithm is a constant equaled to 5. No matter how many testing cases the fuzzer tool injects under a specific state, the number of valid cases is not increased. Furthermore, the valid rate is decreased with the increasing of . Therefore, the state of the tested sensor should be changed manually after receiving 5 inputs. The automation of the fuzzing test is reduced. The efficiency is also negatively affected.
The valid rate of FSM-fuzzing keeps rising with the increasing of the amount of testing cases. And the slope of the curve is constant according to the figure. When the number of cases is beyond 240, the amount of valid cases is larger than the other algorithms. Therefore, the quality of the cases of FSM-fuzzing is the highest among the three algorithms. Overall, the performance of FSM-fuzzing is the best.

Conclusion
In this paper, we propose a scheme FSM-fuzzing to generate Fuzzing cases based on FSM. The context of the cases and the state transition of the tested sensor are both taken account into FSM-fuzzing. It is easy for testers to locate and analyze the vulnerabilities of Zigbee. Meanwhile, the process of regression raises the automation level of fuzzing test based on FSM. In order to comply with the filters rules of Zigbee on MAC, the malformed inputs are generated in structure-based algorithm. The methods of generating testing sequences and the malformed packets are explained through taking the process of association and disassociation as an example.
The architecture of fuzzing tool deployed with FSMfuzzing is designed. The testing sequences are generated by computers so that the burden of the testing node is reduced. According to experiment results, we concluded that there was vulnerability in Z-Stack in dealing with the frames without destination addresses. Thus, FSM-fuzzing is useful in find defects of Zigbee.
We also proposed four parameters for evaluating the performance of FSM-fuzzing, the amount of fuzzing test, the rate of VS-Cases, the redundant rate of cases, and the valid rate of cases. Although the amount of Fuzzing test of FSMfuzzing is 4 times more than the amount of structure-based algorithm, the amount of VS-Cases of FSM-fuzzing is more than structure-based algorithm. The redundant rate of FSMfuzzing is almost 1.5 times more than the rate of structurebased algorithm. Yet the comprehensive results show that the valid rate of FSM-fuzzing is more than structure-based algorithm when the number of cases is more over than 240. Overall, efficiency of fuzzing test taken in the context of cases account is more efficient than structure-based algorithm.
In the future work, we will devote to build the FSMs of the other processes and interconnect each part. The fuzzing test is implemented based on the whole FSM of Zigbee. The other deep defects are expected to be found by ZFSMfuzzer.