蓝牙Mesh配置协议的形式化分析

IF 8.9 1区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Internet of Things Journal Pub Date : 2025-03-12 DOI:10.1109/JIOT.2025.3569262

Min Shi;Jing Chen;Haoran Zhao;Kun He;Ruiying Du

{"title":"蓝牙Mesh配置协议的形式化分析","authors":"Min Shi;Jing Chen;Haoran Zhao;Kun He;Ruiying Du","doi":"10.1109/JIOT.2025.3569262","DOIUrl":null,"url":null,"abstract":"Bluetooth mesh (BM) is a wireless mesh networking technology based on bluetooth low energy, where new devices need to be provisioned to join an existing network. Currently, security research on the BM provisioning protocol primarily focuses on the manual analysis of potential vulnerabilities, while existing formal models are too simplistic to capture all the attacks present in the protocol. In this article, we utilize Tamarin Prover to conduct a comprehensive formal analysis of the BM provisioning protocol. Our model encompasses all phases of the protocol from beaconing to data distribution, and includes the modeling of all public key exchanges and authentication methods specified in the BM specification. Additionally, we accurately model the AES-CMAC primitive used in the protocol, with the help of deconstruction rules and built-in message theories in Tamarin. This AES-CMAC model enables the analysis of subtle behaviors that were previously beyond the scope of symbolic analysis. Our model successfully reproduces reflection and primitive misuse attacks found in previous studies and identifies two new vulnerabilities. We propose countermeasures for the aforementioned attacks and extend our provisioning model to verify the effectiveness of these countermeasures.","PeriodicalId":54347,"journal":{"name":"IEEE Internet of Things Journal","volume":"12 15","pages":"29884-29896"},"PeriodicalIF":8.9000,"publicationDate":"2025-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A Formal Analysis of Bluetooth Mesh Provisioning Protocol\",\"authors\":\"Min Shi;Jing Chen;Haoran Zhao;Kun He;Ruiying Du\",\"doi\":\"10.1109/JIOT.2025.3569262\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Bluetooth mesh (BM) is a wireless mesh networking technology based on bluetooth low energy, where new devices need to be provisioned to join an existing network. Currently, security research on the BM provisioning protocol primarily focuses on the manual analysis of potential vulnerabilities, while existing formal models are too simplistic to capture all the attacks present in the protocol. In this article, we utilize Tamarin Prover to conduct a comprehensive formal analysis of the BM provisioning protocol. Our model encompasses all phases of the protocol from beaconing to data distribution, and includes the modeling of all public key exchanges and authentication methods specified in the BM specification. Additionally, we accurately model the AES-CMAC primitive used in the protocol, with the help of deconstruction rules and built-in message theories in Tamarin. This AES-CMAC model enables the analysis of subtle behaviors that were previously beyond the scope of symbolic analysis. Our model successfully reproduces reflection and primitive misuse attacks found in previous studies and identifies two new vulnerabilities. We propose countermeasures for the aforementioned attacks and extend our provisioning model to verify the effectiveness of these countermeasures.\",\"PeriodicalId\":54347,\"journal\":{\"name\":\"IEEE Internet of Things Journal\",\"volume\":\"12 15\",\"pages\":\"29884-29896\"},\"PeriodicalIF\":8.9000,\"publicationDate\":\"2025-03-12\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Internet of Things Journal\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/11002539/\",\"RegionNum\":1,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Internet of Things Journal","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/11002539/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

蓝牙mesh （BM）是一种基于低功耗蓝牙的无线网状网络技术，需要配置新设备才能加入现有网络。目前，对BM供应协议的安全研究主要集中在对潜在漏洞的手工分析上，而现有的形式化模型过于简单，无法捕获协议中存在的所有攻击。在本文中，我们利用Tamarin prove对BM供应协议进行全面的形式化分析。我们的模型包含协议的所有阶段，从信标到数据分发，并包括BM规范中指定的所有公钥交换和身份验证方法的建模。此外，我们借助解构规则和Tamarin内置的消息理论，对协议中使用的AES-CMAC原语进行了精确的建模。这个AES-CMAC模型能够分析以前超出符号分析范围的细微行为。我们的模型成功再现了先前研究中发现的反射攻击和原始滥用攻击，并确定了两个新的漏洞。我们提出了针对上述攻击的对策，并扩展了我们的供应模型来验证这些对策的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A Formal Analysis of Bluetooth Mesh Provisioning Protocol

Bluetooth mesh (BM) is a wireless mesh networking technology based on bluetooth low energy, where new devices need to be provisioned to join an existing network. Currently, security research on the BM provisioning protocol primarily focuses on the manual analysis of potential vulnerabilities, while existing formal models are too simplistic to capture all the attacks present in the protocol. In this article, we utilize Tamarin Prover to conduct a comprehensive formal analysis of the BM provisioning protocol. Our model encompasses all phases of the protocol from beaconing to data distribution, and includes the modeling of all public key exchanges and authentication methods specified in the BM specification. Additionally, we accurately model the AES-CMAC primitive used in the protocol, with the help of deconstruction rules and built-in message theories in Tamarin. This AES-CMAC model enables the analysis of subtle behaviors that were previously beyond the scope of symbolic analysis. Our model successfully reproduces reflection and primitive misuse attacks found in previous studies and identifies two new vulnerabilities. We propose countermeasures for the aforementioned attacks and extend our provisioning model to verify the effectiveness of these countermeasures.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Internet of Things Journal Computer Science-Information Systems

CiteScore

17.60

自引率

13.20%

发文量

1982

期刊介绍： The EEE Internet of Things (IoT) Journal publishes articles and review articles covering various aspects of IoT, including IoT system architecture, IoT enabling technologies, IoT communication and networking protocols such as network coding, and IoT services and applications. Topics encompass IoT's impacts on sensor technologies, big data management, and future internet design for applications like smart cities and smart homes. Fields of interest include IoT architecture such as things-centric, data-centric, service-oriented IoT architecture; IoT enabling technologies and systematic integration such as sensor technologies, big sensor data management, and future Internet design for IoT; IoT services, applications, and test-beds such as IoT service middleware, IoT application programming interface (API), IoT application design, and IoT trials/experiments; IoT standardization activities and technology development in different standard development organizations (SDO) such as IEEE, IETF, ITU, 3GPP, ETSI, etc.