Integrating Combinatorial Testing with Fuzzing for Zigbee Protocol Implementation

Zigbee stacks are widely deployed in commercial IoT products, yet security and robustness testing remains challenging in practice due to vendor toolchain constraints and subtle cross-field dependencies in Zigbee Cluster Library (ZCL) messages. In a case study on Texas Instruments’ Z-Stack, we found many crashes are constraint-driven: they require specific combinations of multiple ZCL fields and conditional field presence to pass early validation and reach vulnerable logic. Existing protocol fuzzers either lack effective feedback-driven prioritization or generate large fractions of invalid/duplicate messages when mutating dependent fields.

We present CT-BFuzz, a new approach that integrates on-demand combinatorial testing (CT) into coverage-guided Zigbee fuzzing under a realistic vendor toolchain environment (Windows + IAR). CT-BFuzz identifies control fields via static analysis, triggers CT only when coverage stagnates, and reconstructs format-correct messages with a lightweight post-generation checker to handle dynamic dependencies. In 10×24h campaigns on Z-Stack, CT-BFuzz achieved 71.13% statement coverage and 75.91% edge coverage with 10,584 unique messages, and triggered eight distinct crash issues (three known CVEs and five previously unreported issues reported to the vendor). Compared to a taint-guided Zigbee fuzzer, CT-BFuzz reduced time-to-first-crash for most issues. We distill practical lessons for controlling combinatorial explosion, handling dynamic field dependencies, and enabling efficient triage in Zigbee fuzzing.