This repository contains the artifact for BlueSWAT, a Bluetooth security framework for IoT devices based on eBPF. For more information about BlueSWAT, please consult our paper "BlueSWAT: A Lightweight State-Aware Security Framework for Bluetooth Low Energy" (To appear in CCS 2024).
BlueSWAT is tested under Ubuntu 20.04 on WSL2. This artifact contains implementation on two embedded OS with open-source BLE stacks, i.e., ZephyrOS and MynewtOS. This artifact is tested on the Nordic 52840 Development Kit.
To flash USB device from WSL2, please install usbipd. Besides, Install the Segger JLINK Software and documentation pack.
Download our code and required submodules of MynewtOS:
git clone --recursive https://github.com/RayCxggg/BlueSWAT-Artifact.git
In a Windows shell, connect the board and attach it to WSL2:
usbipd list
usbipd bind --busid <busid>
usbipd attach --wsl --busid <busid>
We are using ZephyrOS v2.2.0 for vulnerability reproduction.
Please follow STEP ONE and TWO in the doc to install dependencies.
Install needed Python packages:
pip3 install --user -r ~/BlueSWAT/ZephyrOS/zephyr/scripts/requirements.txt
Install Zephyr Software Development Toolchain:
cd ~
wget https://github.com/zephyrproject-rtos/sdk-ng/releases/download/v0.11.2/zephyr-sdk-0.11.2-setup.run
chmod +x zephyr-sdk-0.11.2-setup.run
./zephyr-sdk-0.11.2-setup.run -- -d ~/SDK/zephyr-sdk-0.11.2
rm zephyr-sdk-0.11.2-setup.run
Set build environment variables:
cd BlueSWAT/ZephyrOS/zephyr
source zephyr-env.sh
Now, we build the BLE peripheral application for Nordic 52840 DK:
cd BlueSWAT/ZephyrOS
source scripts/config.sh
source scripts/build.sh
Everything is settled! Flash the board:
source scripts/flash.sh
You can use minicom to monitor the output:
sudo minicom -D /dev/ttyACM0
Follow the doc native installation mode to install the dependencies.
Now, build the bootloader and BLE targets:
cd BlueSWAT/Mynewt
newt build nrf52_boot
newt build peripheral
Run the newt create-image command to create and sign the application image. You may assign an arbitrary version (e.g. 1.0.0) to the image:
newt create-image peripheral 1.0.0
Connect a micro-USB cable from your computer to the micro-USB port on the nRF52-DK board.
Then, load the bootloader and the BLE application image onto the board:
newt load nrf52_boot
newt load peripheral
You can use minicom to monitor the output:
sudo minicom -D /dev/ttyACM0
Here we use CVE-2020-10069 as a testing case.
We use an nRF52840 dongle with Sweyntooth to reproduce the attack. Follow the doc to build and flash sweyntooth firmware to the dongle, then launch the Invalid Channel Map attack to the victim (i.e. the nRF52840 DK).
With the original vulnerable Zephyr v2.2.0 BLE stack, the stack will crash after we launch the attack. With BlueSWAT, the attacking packets will be detected and dropped.
If you are interested in using our works for academic research, please cite the paper:
@article{che2024blueswat,
title={BlueSWAT: A Lightweight State-Aware Security Framework for Bluetooth Low Energy},
author={Che, Xijia and He, Yi and Feng, Xuewei and Sun, Kun and Xu, Ke and Li, Qi},
journal={arXiv preprint arXiv:2405.17987},
year={2024}
}