{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,20]],"date-time":"2026-04-20T10:26:19Z","timestamp":1776680779144,"version":"3.51.2"},"publisher-location":"Cham","reference-count":40,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783031067723","type":"print"},{"value":"9783031067730","type":"electronic"}],"license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"DOI":"10.1007\/978-3-031-06773-0_20","type":"book-chapter","created":{"date-parts":[[2022,5,19]],"date-time":"2022-05-19T11:24:44Z","timestamp":1652959484000},"page":"373-392","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":16,"title":["Stateful Black-Box Fuzzing of\u00a0Bluetooth Devices Using Automata Learning"],"prefix":"10.1007","author":[{"given":"Andrea","family":"Pferscher","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3484-5584","authenticated-orcid":false,"given":"Bernhard K.","family":"Aichernig","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,5,20]]},"reference":[{"key":"20_CR1","doi-asserted-by":"publisher","unstructured":"Aarts, F., Jonsson, B., Uijen, J., Vaandrager, F.W.: Generating models of infinite-state communication protocols using regular inference with abstraction. Formal Methods Syst. Des. 46(1), 1\u201341 (2015). https:\/\/doi.org\/10.1007\/s10703-014-0216-x","DOI":"10.1007\/s10703-014-0216-x"},{"key":"20_CR2","doi-asserted-by":"publisher","unstructured":"Aichernig, B.K., Mu\u0161kardin, E., Pferscher, A.: Learning-based fuzzing of IoT message brokers. In: 14th IEEE Conference on Software Testing, Verification and Validation, ICST 2021, Porto de Galinhas, Brazil, 12\u201316 April 2021, pp. 47\u201358. IEEE (2021). https:\/\/doi.org\/10.1109\/ICST49551.2021.00017","DOI":"10.1109\/ICST49551.2021.00017"},{"issue":"2","key":"20_CR3","doi-asserted-by":"publisher","first-page":"87","DOI":"10.1016\/0890-5401(87)90052-6","volume":"75","author":"D Angluin","year":"1987","unstructured":"Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87\u2013106 (1987). https:\/\/doi.org\/10.1016\/0890-5401(87)90052-6","journal-title":"Inf. Comput."},{"key":"20_CR4","doi-asserted-by":"publisher","unstructured":"Antonioli, D., Tippenhauer, N.O., Rasmussen, K.: Key negotiation downgrade attacks on Bluetooth and Bluetooth Low Energy. ACM Trans. Priv. Secur. 23(3), 14:1\u201314:28 (2020). https:\/\/doi.org\/10.1145\/3394497","DOI":"10.1145\/3394497"},{"key":"20_CR5","doi-asserted-by":"publisher","unstructured":"Banks, G., Cova, M., Felmetsger, V., Almeroth, K.C., Kemmerer, R.A., Vigna, G.: SNOOZE: Toward a stateful network protocol fuzzer. In: Katsikas, S.K., L\u00f3pez, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) Information Security, 9th International Conference, ISC 2006, Samos Island, Greece, 30 August\u20132 September 2006, Proceedings. Lecture Notes in Computer Science, vol. 4176, pp. 343\u2013358. Springer (2006). https:\/\/doi.org\/10.1007\/11836810_25","DOI":"10.1007\/11836810_25"},{"key":"20_CR6","unstructured":"Bluetooth SIG: Bluetooth core specification v5.3. Standard (2021). https:\/\/www.bluetooth.com\/specifications\/specs\/core-specification\/"},{"key":"20_CR7","doi-asserted-by":"publisher","unstructured":"B\u00f6hme, M., Cadar, C., Roychoudhury, A.: Fuzzing: Challenges and reflections. IEEE Softw. 38(3), 79\u201386 (2021). https:\/\/doi.org\/10.1109\/MS.2020.3016773","DOI":"10.1109\/MS.2020.3016773"},{"key":"20_CR8","unstructured":"Capkun, S., Roesner, F. (eds.): 29th USENIX Security Symposium, USENIX Security 2020, 12\u201314 August 2020. USENIX Association (2020). https:\/\/www.usenix.org\/conference\/usenixsecurity20"},{"key":"20_CR9","doi-asserted-by":"publisher","unstructured":"Chow, T.S.: Testing software design modeled by finite-state machines. IEEE Trans. Software Eng. 4(3), 178\u2013187 (1978). https:\/\/doi.org\/10.1109\/TSE.1978.231496","DOI":"10.1109\/TSE.1978.231496"},{"key":"20_CR10","doi-asserted-by":"publisher","unstructured":"Comparetti, P.M., Wondracek, G., Kr\u00fcgel, C., Kirda, E.: Prospex: Protocol specification extraction. In: 30th IEEE Symposium on Security and Privacy (S&P 2009), 17\u201320 May 2009, Oakland, California, USA, pp. 110\u2013125. IEEE Computer Society (2009). https:\/\/doi.org\/10.1109\/SP.2009.14","DOI":"10.1109\/SP.2009.14"},{"key":"20_CR11","doi-asserted-by":"publisher","unstructured":"Daniel, L., Poll, E., de Ruiter, J.: Inferring OpenVPN state machines using protocol state fuzzing. In: 2018 IEEE European Symposium on Security and Privacy Workshops, EuroS&P Workshops 2018, London, United Kingdom, 23\u201327 April 2018, pp. 11\u201319. IEEE (2018). https:\/\/doi.org\/10.1109\/EuroSPW.2018.00009","DOI":"10.1109\/EuroSPW.2018.00009"},{"key":"20_CR12","unstructured":"Doup\u00e9, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the state: A state-aware black-box web vulnerability scanner. In: Kohno, T. (ed.) Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, 8\u201310 August 2012, pp. 523\u2013538. USENIX Association (2012). https:\/\/www.usenix.org\/conference\/usenixsecurity12\/technical-sessions\/presentation\/doupe"},{"key":"20_CR13","doi-asserted-by":"publisher","unstructured":"Fiterau-Brostean, P., Janssen, R., Vaandrager, F.W.: Combining model learning and model checking to analyze TCP implementations. In: Chaudhuri, S., Farzan, A. (eds.) Computer Aided Verification - 28th International Conference, CAV 2016, Toronto, ON, Canada, July 17\u201323, 2016, Proceedings, Part II. Lecture Notes in Computer Science, vol. 9780, pp. 454\u2013471. Springer (2016). https:\/\/doi.org\/10.1007\/978-3-319-41540-6_25","DOI":"10.1007\/978-3-319-41540-6_25"},{"key":"20_CR14","unstructured":"Fiterau-Brostean, P., Jonsson, B., Merget, R., de Ruiter, J., Sagonas, K., Somorovsky, J.: Analysis of DTLS implementations using protocol state fuzzing. In: Capkun and Roesner [8], pp. 2523\u20132540. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/fiterau-brostean"},{"key":"20_CR15","doi-asserted-by":"publisher","unstructured":"Fiterau-Brostean, P., Lenaerts, T., Poll, E., de Ruiter, J., Vaandrager, F.W., Verleg, P.: Model learning and model checking of SSH implementations. In: Erdogmus, H., Havelund, K. (eds.) Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software, Santa Barbara, CA, USA, 10\u201314 July 2017, pp. 142\u2013151. ACM (2017). https:\/\/doi.org\/10.1145\/3092282.3092289","DOI":"10.1145\/3092282.3092289"},{"key":"20_CR16","unstructured":"Garbelini, M.E., Chattopadhyay, S., Bedi, V., Sun, S., Kurniawan, E.: BRAKTOOTH: Causing havoc on Bluetooth link manager. https:\/\/asset-group.github.io\/disclosures\/braktooth\/braktooth.pdf (2021). Accessed 8 Jan 2022"},{"key":"20_CR17","unstructured":"Garbelini, M.E., Wang, C., Chattopadhyay, S., Sun, S., Kurniawan, E.: SweynTooth: Unleashing mayhem over Bluetooth Low Energy. In: Gavrilovska, A., Zadok, E. (eds.) 2020 USENIX Annual Technical Conference, USENIX ATC 2020, 15\u201317 July 2020, pp. 911\u2013925. USENIX Association (2020). https:\/\/www.usenix.org\/conference\/atc20\/presentation\/garbelini"},{"key":"20_CR18","unstructured":"Gitlab.org: Gitlab protocol fuzzer community edition. https:\/\/gitlab.com\/gitlab-org\/security-products\/protocol-fuzzer-ce. Accessed 8 Jan 2022"},{"key":"20_CR19","doi-asserted-by":"publisher","unstructured":"Godefroid, P., Levin, M.Y., Molnar, D.A.: SAGE: Whitebox fuzzing for security testing. ACM Queue 10(1), 20 (2012). https:\/\/doi.org\/10.1145\/2090147.2094081","DOI":"10.1145\/2090147.2094081"},{"key":"20_CR20","doi-asserted-by":"publisher","unstructured":"Johansson, W., Svensson, M., Larson, U.E., Almgren, M., Gulisano, V.: T-Fuzz: Model-based fuzzing for robustness testing of telecommunication protocols. In: Seventh IEEE International Conference on Software Testing, Verification and Validation, ICST 2014, 31 March 2014\u20134 April 2014, Cleveland, Ohio, USA, pp. 323\u2013332. IEEE Computer Society (2014). https:\/\/doi.org\/10.1109\/ICST.2014.45","DOI":"10.1109\/ICST.2014.45"},{"key":"20_CR21","doi-asserted-by":"crossref","unstructured":"Le, K.T.: Bluetooth Low Energy and the automotive transformation. https:\/\/www.ti.com\/lit\/wp\/sway008\/sway008.pdf. Accessed 29 Dec 2021","DOI":"10.1007\/978-1-4842-6658-8_2"},{"key":"20_CR22","doi-asserted-by":"publisher","unstructured":"Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Commun. ACM 33(12), 32\u201344 (1990). https:\/\/doi.org\/10.1145\/96267.96279","DOI":"10.1145\/96267.96279"},{"key":"20_CR23","doi-asserted-by":"publisher","unstructured":"Mu\u0161kardin, E., Aichernig, B.K., Pill, I., Pferscher, A., Tappler, M.: AALpy: An active automata learning library. Innovations Syst. Softw. Eng. (2022). https:\/\/doi.org\/10.1007\/s11334-022-00449-3","DOI":"10.1007\/s11334-022-00449-3"},{"key":"20_CR24","unstructured":"Pereyda, J.: boofuzz: Network protocol fuzzing for humans. https:\/\/github.com\/jtpereyda\/boofuzz. Accessed 8 Jan 2022"},{"key":"20_CR25","doi-asserted-by":"crossref","unstructured":"Pferscher, A.: Stateful black-box fuzzing of BLE devices using automata learning. https:\/\/git.ist.tugraz.at\/apferscher\/ble-fuzzing. Accessed 9 Jan 2022","DOI":"10.1007\/978-3-031-06773-0_20"},{"key":"20_CR26","doi-asserted-by":"publisher","unstructured":"Pferscher, A., Aichernig, B.K.: Fingerprinting Bluetooth Low Energy devices via active automata learning. In: Huisman, M., Pasareanu, C.S., Zhan, N. (eds.) Formal Methods - 24th International Symposium, FM 2021, Virtual Event, 20\u201326 November 2021, Proceedings. Lecture Notes in Computer Science, vol. 13047, pp. 524\u2013542. Springer (2021). https:\/\/doi.org\/10.1007\/978-3-030-90870-6_28","DOI":"10.1007\/978-3-030-90870-6_28"},{"key":"20_CR27","unstructured":"Rasool, A., Alp\u00e1r, G., de Ruiter, J.: State machine inference of QUIC. CoRR abs\/1903.04384 (2019). http:\/\/arxiv.org\/abs\/1903.04384"},{"key":"20_CR28","doi-asserted-by":"publisher","unstructured":"Rivest, R.L., Schapire, R.E.: Inference of finite automata using homing sequences. Inf. Comput. 103(2), 299\u2013347 (1993). https:\/\/doi.org\/10.1006\/inco.1993.1021","DOI":"10.1006\/inco.1993.1021"},{"key":"20_CR29","unstructured":"Ruge, J., Classen, J., Gringoli, F., Hollick, M.: Frankenstein: Advanced wireless fuzzing to exploit new Bluetooth escalation targets. In: Capkun and Roesner [8], pp. 19\u201336. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/ruge"},{"key":"20_CR30","unstructured":"de Ruiter, J., Poll, E.: Protocol state fuzzing of TLS implementations. In: Jung, J., Holz, T. (eds.) 24th USENIX Security Symposium, USENIX Security 15, 12\u201314 August 2015, Washington, D.C., USA, pp. 193\u2013206. USENIX Association (2015). https:\/\/www.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/de-ruiter"},{"key":"20_CR31","doi-asserted-by":"publisher","unstructured":"Rohith Raj, S., Rohith, R., Moharir, M., Shobha, G.: SCAPY - A powerful interactive packet manipulation program. In: 2018 International Conference on Networking, Embedded and Wireless Systems (ICNEWS), pp. 1\u20135 (2018). https:\/\/doi.org\/10.1109\/ICNEWS.2018.8903954","DOI":"10.1109\/ICNEWS.2018.8903954"},{"key":"20_CR32","unstructured":"Seri, B., Livne, A.: Exploiting BlueBorne in Linux-based IoT devices. Armis, Inc (2019). https:\/\/www.armis.com\/research\/blueborne\/. Accessed 8 Jan 2022"},{"key":"20_CR33","unstructured":"Seri, B., Vishnepolsky, G., Zusman, D.: BLEEDINGBIT: The hidden attack surface within BLE chips. Armis, Inc (2019). https:\/\/www.armis.com\/research\/bleedingbit\/. Accessed 8 Jan 2022"},{"key":"20_CR34","doi-asserted-by":"publisher","unstructured":"Shahbaz, M., Groz, R.: Inferring Mealy machines. In: Cavalcanti, A., Dams, D. (eds.) FM 2009, Eindhoven, The Netherlands, 2\u20136 November 2009. Proceedings. Lecture Notes in Computer Science, vol. 5850, pp. 207\u2013222. Springer (2009). https:\/\/doi.org\/10.1007\/978-3-642-05089-3_14, https:\/\/doi.org\/10.1007\/978-3-642-05089-3","DOI":"10.1007\/978-3-642-05089-3_14"},{"key":"20_CR35","unstructured":"Smetsers, R., Moerman, J., Janssen, M., Verwer, S.: Complementing model learning with mutation-based fuzzing. CoRR abs\/1611.02429 (2016). http:\/\/arxiv.org\/abs\/1611.02429"},{"key":"20_CR36","doi-asserted-by":"publisher","unstructured":"Stone, C.M., Chothia, T., de Ruiter, J.: Extending automated protocol state learning for the 802.11 4-way handshake. In: L\u00f3pez, J., Zhou, J., Soriano, M. (eds.) Computer Security - 23rd European Symposium on Research in Computer Security, ESORICS 2018, 3\u20137 September 2018, Barcelona, Spain, Proceedings, Part I. Lecture Notes in Computer Science, vol. 11098, pp. 325\u2013345. Springer (2018). https:\/\/doi.org\/10.1007\/978-3-319-99073-6_16","DOI":"10.1007\/978-3-319-99073-6_16"},{"key":"20_CR37","doi-asserted-by":"publisher","unstructured":"Tappler, M., Aichernig, B.K., Bloem, R.: Model-based testing IoT communication via active automata learning. In: 2017 IEEE International Conference on Software Testing, Verification and Validation, ICST 2017, 13\u201317 March 2017, Tokyo, Japan, pp. 276\u2013287. IEEE Computer Society (2017). https:\/\/doi.org\/10.1109\/ICST.2017.32","DOI":"10.1109\/ICST.2017.32"},{"key":"20_CR38","doi-asserted-by":"publisher","unstructured":"Tretmans, J.: Model based testing with labelled transition systems. In: Hierons, R.M., Bowen, J.P., Harman, M. (eds.) Formal Methods and Testing, An Outcome of the FORTEST Network, Revised Selected Papers. Lecture Notes in Computer Science, vol. 4949, pp. 1\u201338. Springer (2008). https:\/\/doi.org\/10.1007\/978-3-540-78917-8_1","DOI":"10.1007\/978-3-540-78917-8_1"},{"key":"20_CR39","unstructured":"Wu, J., et al.: BLESA: Spoofing attacks against reconnections in Bluetooth Low Energy. In: Yarom, Y., Zennou, S. (eds.) 14th USENIX Workshop on Offensive Technologies, WOOT 2020, 11 August 2020. USENIX Association (2020). https:\/\/www.usenix.org\/conference\/woot20\/presentation\/wu"},{"key":"20_CR40","unstructured":"Zalewski, M.: American fuzzy lop. https:\/\/lcamtuf.coredump.cx\/afl\/ (2013). Accessed 2 Jan 2022"}],"container-title":["Lecture Notes in Computer Science","NASA Formal Methods"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-06773-0_20","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,8,1]],"date-time":"2022-08-01T11:10:54Z","timestamp":1659352254000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-06773-0_20"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"ISBN":["9783031067723","9783031067730"],"references-count":40,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-06773-0_20","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022]]},"assertion":[{"value":"20 May 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"NFM","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"NASA Formal Methods Symposium","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Pasadena, CA","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"USA","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"24 May 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27 May 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"nfm2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/shemesh.larc.nasa.gov\/nfm2022\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"118","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"33","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"6","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"28% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"6.3","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}