Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ThreadFuzzer: Fuzzing Framework for Thread Protocol

Ilja Siroš, Jakob Heirwegh, Dave Singelée, Bart Preneel

TL;DR

ThreadFuzzer provides the first dedicated fuzzing framework for the Thread protocol by intercepting and mutating MLE-layer packets, enabling fuzzing of both virtual OpenThread nodes and real Thread devices. It combines CovFuzz-inspired Random and Coverage-based fuzzers with a novel TLV Inserter to handle TLV-structured MLE messages, achieving multiple vulnerability findings in OpenThread and reproductions on commercial devices. The framework is evaluated against OpenThread simulations and extended AFL++-based harnesses, showing strong effectiveness in black-box testing and highlighting the practical challenges of fuzzing wireless protocols in embedded hardware. The results demonstrate the framework's utility for proactive security testing in Thread/Matter ecosystems while outlining limitations and future work, including deeper cross-layer fuzzing and reduced sensitivity to repeated crashes.

Abstract

With the rapid growth of IoT, secure and efficient mesh networking has become essential. Thread has emerged as a key protocol, widely used in smart-home and commercial systems, and serving as a core transport layer in the Matter standard. This paper presents ThreadFuzzer, the first dedicated fuzzing framework for systematically testing Thread protocol implementations. By manipulating packets at the MLE layer, ThreadFuzzer enables fuzzing of both virtual OpenThread nodes and physical Thread devices. The framework incorporates multiple fuzzing strategies, including Random and Coverage-based fuzzers from CovFuzz, as well as a newly introduced TLV Inserter, designed specifically for TLV-structured MLE messages. These strategies are evaluated on the OpenThread stack using code-coverage and vulnerability-discovery metrics. The evaluation uncovered five previously unknown vulnerabilities in the OpenThread stack, several of which were successfully reproduced on commercial devices that rely on OpenThread. Moreover, ThreadFuzzer was benchmarked against an oracle AFL++ setup using the manually extended OSS-Fuzz harness from OpenThread, demonstrating strong effectiveness. These results demonstrate the practical utility of ThreadFuzzer while highlighting challenges and future directions in the wireless protocol fuzzing research space.

ThreadFuzzer: Fuzzing Framework for Thread Protocol

TL;DR

ThreadFuzzer provides the first dedicated fuzzing framework for the Thread protocol by intercepting and mutating MLE-layer packets, enabling fuzzing of both virtual OpenThread nodes and real Thread devices. It combines CovFuzz-inspired Random and Coverage-based fuzzers with a novel TLV Inserter to handle TLV-structured MLE messages, achieving multiple vulnerability findings in OpenThread and reproductions on commercial devices. The framework is evaluated against OpenThread simulations and extended AFL++-based harnesses, showing strong effectiveness in black-box testing and highlighting the practical challenges of fuzzing wireless protocols in embedded hardware. The results demonstrate the framework's utility for proactive security testing in Thread/Matter ecosystems while outlining limitations and future work, including deeper cross-layer fuzzing and reduced sensitivity to repeated crashes.

Abstract

With the rapid growth of IoT, secure and efficient mesh networking has become essential. Thread has emerged as a key protocol, widely used in smart-home and commercial systems, and serving as a core transport layer in the Matter standard. This paper presents ThreadFuzzer, the first dedicated fuzzing framework for systematically testing Thread protocol implementations. By manipulating packets at the MLE layer, ThreadFuzzer enables fuzzing of both virtual OpenThread nodes and physical Thread devices. The framework incorporates multiple fuzzing strategies, including Random and Coverage-based fuzzers from CovFuzz, as well as a newly introduced TLV Inserter, designed specifically for TLV-structured MLE messages. These strategies are evaluated on the OpenThread stack using code-coverage and vulnerability-discovery metrics. The evaluation uncovered five previously unknown vulnerabilities in the OpenThread stack, several of which were successfully reproduced on commercial devices that rely on OpenThread. Moreover, ThreadFuzzer was benchmarked against an oracle AFL++ setup using the manually extended OSS-Fuzz harness from OpenThread, demonstrating strong effectiveness. These results demonstrate the practical utility of ThreadFuzzer while highlighting challenges and future directions in the wireless protocol fuzzing research space.

Paper Structure

This paper contains 47 sections, 5 equations, 5 figures, 4 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Matter
  4. Thread
  5. Overview
  6. Device roles and types
  7. Mesh Link Establishment layer
  8. OpenThread
  9. Fuzzing
  10. Related work
  11. Framework architecture
  12. Packet Generator
  13. DUT
  14. Fuzzing Controller
  15. Dissector
  16. ...and 32 more sections

Figures (5)

  • Figure 1: The illustration of the ThreadFuzzer. The steps shown in the figure outline the fuzzing flow for one packet. The figure is adapted from CovFUZZ.
  • Figure 2: Comparison of Random and Coverage-based Grey-box fuzzers from CovFuzz.
  • Figure 3: Comparison of Random and Coverage-based Black-box fuzzers from CovFuzz.
  • Figure 4: Comparison of Random fuzzer and TLV inserter.
  • Figure 5: Comparison of fuzzers on the OT-MTD target.