BLuEMan: A Stateful Simulation-based Fuzzing Framework for Open-Source RTOS Bluetooth Low Energy Protocol Stacks

Bluetooth Low Energy (BLE) is a dominant wireless communication technology widely used in low-power, short-range applications. Its broad adoption and inherent security vulnerabilities in certain implementations have prompted numerous efforts to identify flaws in BLE protocol stacks. Despite these efforts, many existing fuzz testing methods face substantial limitations in scalability and applicability. To address these challenges, we propose BLuEMan, a simulation-based fuzzing framework that integrates a Real-Time Operating System (RTOS) with a software-based physical layer simulator. BLuEMan executes the actual BLE protocol stack while simulating interactions between BLE targets. This design ensures scalability for rapid testing across various targets while maintaining high applicability to various platforms. Our evaluation demonstrates that BLuEMan achieves fuzzing rates up to 18.0 and 162.3 times faster than typical simulation-based and platform-based approaches, respectively. Moreover, BLuEMan has uncovered four new vulnerabilities in BLE protocol stacks, all of which have been reported and assigned CVEs. This approach provides valuable insights into efficient vulnerability discovery for BLE protocol stack developers.