Integrating Combinatorial Testing with Fuzzing for Zigbee Protocol Implementation

Zigbee wireless protocol has become a widely adopted standard in smart environments due to its resource efficiency. However, Zigbee implementations have repeatedly suffered from security issues, motivating researchers to design techniques for detecting such vulnerabilities. Coverage-guided fuzzing has emerged as an effective solution, successfully exposing hidden flaws in Zigbee stacks. Yet, existing fuzzers often overlook critical combinations of message field values, which can trigger subtle execution failures and vulnerabilities.

To address this gap, we present a hybrid technique that integrates Combinatorial Testing (CT) with fuzzing to improve vulnerability detection in Zigbee protocol implementations. Our approach leverages CT to systematically explore critical combinations of protocol field values, while fuzzing dynamically reduces the input space and constructs test models. This synergy allows for efficient exploration of complex input conditions that traditional fuzzing fails to uncover.

We implement a prototype, called CT-BFuzz, and evaluate it on Z-Stack, a widely used Zigbee protocol implementation. Compared with state-of-the-art fuzzing tools, CT-BFuzz demonstrates significant improvements in both fuzzing efficiency and vulnerability detection. Specifically, CT-BFuzz achieves higher code coverage with fewer test cases, generates new categories of test inputs that expose unique flaws, and identifies vulnerabilities more quickly. Our evaluation further revealed two previously undiscovered crashes in Z-Stack, underscoring the practical effectiveness of our approach.

We have released CT-BFuzz’s source code to facilitate reproduction, replication, and reuse in this repository. For installation and more details, please check the README file in the package.