Bluetooth Low Energy (BLE) is a short-range wireless communication technology for resource-constrained IoT devices. Unfortunately, BLE is vulnerable to session-based attacks, where previous packets construct exploitable conditions for subsequent packets to compromise connections. Defending against session-based attacks is challenging because each step in the attack sequence is legitimate when inspected individually. In this paper, we present BlueSWAT, a lightweight state-aware security framework for protecting BLE devices. To perform inspection on the session level rather than individual packets, BlueSWAT leverages a finite state machine (FSM) to monitor sequential actions of connections at runtime. Patterns of session-based attacks are modeled as malicious transition paths in the FSM. To overcome the heterogeneous IoT environment, we develop a lightweight eBPF framework to facilitate universal patch distribution across different BLE architectures and stacks, without requiring device reboot. We implement BlueSWAT on 5 real-world devices with different chips and stacks to demonstrate its cross-device adaptability. On our dataset with 101 real-world BLE vulnerabilities, BlueSWAT can mitigate 76.1% of session-based attacks, outperforming other defense frameworks. In our end-to-end application evaluation, BlueSWAT patches introduce an average of 0.073% memory overhead and negligible latency.

翻译：低功耗蓝牙（BLE）是一种面向资源受限物联网设备的短距离无线通信技术。然而，BLE容易受到会话攻击，即先前数据包会为后续数据包构建可利用条件以破坏连接。防御会话攻击具有挑战性，因为攻击序列中的每个步骤在单独检查时都是合法的。本文提出BlueSWAT，一种用于保护BLE设备的轻量级状态感知安全框架。为在会话层面而非单个数据包层面进行检测，BlueSWAT利用有限状态机（FSM）在运行时监控连接的连续操作。会话攻击模式被建模为FSM中的恶意转移路径。为应对异构物联网环境，我们开发了轻量级eBPF框架，以实现跨不同BLE架构和协议栈的通用补丁分发，且无需设备重启。我们在5款采用不同芯片和协议栈的真实设备上实现了BlueSWAT，以验证其跨设备适应性。在包含101个真实BLE漏洞的数据集上，BlueSWAT可缓解76.1%的会话攻击，性能优于其他防御框架。在端到端应用评估中，BlueSWAT补丁仅引入平均0.073%的内存开销和可忽略的延迟。