The recent rise in complex Wi-Fi vulnerabilities, such as KRACK and Dragonslayer, indicates the critical need for effective Wi-Fi protocol testing tools. In this article, we conceptualize, design and implement a directed fuzzing methodology named Greyhound that automatically tests the Wi-Fi client implementations against vulnerabilities such as crashes or non-compliant behaviors. Leveraging a holistic Wi-Fi protocol model, Greyhound directs the fuzzer in specific states of target Wi-Fi client. By exchanging mutated packets with a Wi-Fi client, Greyhound aims to induce the client to exhibit anomalous behaviors that badly deviate from Wi-Fi protocols. We have implemented Greyhound and evaluated it on a variety of real-world Wi-Fi clients, including smartphone, Raspberry Pi, IoT device microcontrollers and a medical device. Our evaluation indicates that Greyhound not only automatically discovers known vulnerabilities (including KRACK and Dragonslayer) that would require specialized verification otherwise, but, more importantly, it also has uncovered four new vulnerabilities in popular Wi-Fi client devices. All discovered vulnerabilities have been confirmed by manufacturers and they have been assigned three different common vulnerability exposure (CVE) IDs. We also win a bug bounty of 2,200 USD for discovering the security vulnerabilities. Furthermore, our evaluation with three existing Wi-Fi fuzz testing tools reveals that all such tools fail to discover any of the vulnerabilities (including crashes) uncovered by Greyhound . Last but not the least, we have deployed Greyhound to test the Wi-Fi client implementation on automotive head units. Greyhound automatically discovers KRACK, Dragonslayer and other anomalies in these Wi-Fi implementations. Such a real world try-out justifies the necessity and efficacy of Greyhound .

中文翻译：

---

Greyhound：定向 Greybox Wi-Fi 模糊测试

最近出现的复杂 Wi-Fi 漏洞，例如 KRACK 和 Dragonslayer，表明对有效的 Wi-Fi 协议测试工具的迫切需求。在本文中，我们概念化、设计和实现了一种名为Greyhound 自动测试 Wi-Fi 客户端实现的漏洞，例如崩溃或不合规行为。利用整体 Wi-Fi 协议模型，Greyhound 将模糊器引导至目标 Wi-Fi 客户端的特定状态。通过与 Wi-Fi 客户端交换变异数据包，Greyhound 旨在诱导客户端表现出严重偏离 Wi-Fi 协议的异常行为。我们已经实施Greyhound 并在各种真实世界的 Wi-Fi 客户端上对其进行了评估，包括智能手机、Raspberry Pi、物联网设备微控制器和医疗设备。我们的评估表明Greyhound 不仅会自动发现需要专门验证的已知漏洞（包括 KRACK 和 Dragonslayer），而且更重要的是，它还在流行的 Wi-Fi 客户端设备中发现了四个新漏洞。所有发现的漏洞都已得到制造商的确认，并被分配了三个不同的常见漏洞暴露 (CVE) ID。我们还因发现安全漏洞赢得了 2,200 美元的漏洞赏金。此外，我们对三个现有 Wi-Fi 模糊测试工具的评估表明，所有此类工具都未能发现由灰狗。最后但并非最不重要的一点是，我们已经部署了Greyhound 在汽车音响主机上测试 Wi-Fi 客户端实施。Greyhound 会自动发现这些 Wi-Fi 实施中的 KRACK、Dragonslayer 和其他异常情况。这样一个真实世界的试验证明了它的必要性和有效性灰狗。