Saecred: A State-Aware, Over-the-Air Protocol Testing Approach for Discovering Parsing Bugs in SAE Handshake Implementations of COTS Wi-Fi Access Points

Muhammad Daniyal Pirwani Dar; Rob Lorch; Aliakbar Sadeghi; Vincenzo Sorcigli; Heloise Gollier; Cesare Tinelli; Mathy Vanhoef; Omar Chowdhury

doi:10.1109/SP61157.2025.00211

Conference proceeding

Saecred: A State-Aware, Over-the-Air Protocol Testing Approach for Discovering Parsing Bugs in SAE Handshake Implementations of COTS Wi-Fi Access Points

Muhammad Daniyal Pirwani Dar, Rob Lorch, Aliakbar Sadeghi, Vincenzo Sorcigli, Heloise Gollier, Cesare Tinelli, Mathy Vanhoef and Omar Chowdhury

Proceedings - IEEE Symposium on Security and Privacy, pp.3691-3709

IEEE Symposium on Security and Privacy

05/12/2025

DOI: 10.1109/SP61157.2025.00211

View Online

Abstract

WPA3-Personal introduced the stateful Simultane-ous Authentication of Equals (SAE) handshake protocol to achieve forward secrecy and resistance to passphrase guessing attacks during Wi-Fi connection bootstrapping, guarantees that are lacking in WPA2-Personal. However, the initial design of WPA3-Personal with SAE was susceptible to connection downgrade and denial-of-service (DoS) attacks. The current, enhanced version introduces mechanisms to mitigate these vulnerabilities. Enabling these security-enhancing mechanisms, however, results in a variable-structured, context-sensitive packet format that can be challenging to parse and interpret correctly. Misparsing SAE handshake packets can negatively impact Wi-Fi protocol security. To uncover SAE handshake packet misparsing in commercial-off-the-shelf (COTS) Wi-Fi access points (APs), we present Saecred,a packet-structure-guided, SAE-state-aware black-box fuzzer. Saecredreduces the underlying problem of misparsing discovery to a two-dimensional search problem, where the dimensions are the packet structure and the underlying SAE protocol state. It solves this search problem by combining Iterative Deepening Search (IDS) with a context-sensitive grammar-based fuzzing approach, where the latter relies on a Syntax-Guided Synthesis (SyGuS) solver. Saecred'seffectiveness is demonstrated by evaluating it on 6 COTS APs and the widely used open-source hostapd. Our evaluation discovered several instances of 4 classes of bugs. Bugs in two of these classes violate the two fundamental guarantees SAE expects to achieve (i.e., resistance to downgrade and DoS attacks). We reported our findings to the relevant stakeholders, which resulted in patches and security advisories.

authentication

Closed box

Computer bugs

Denial-of-service attack

Fuzzing

network protocol security

Protocols

Resistance

Search problems

Security

Testing

wifi

Wireless fidelity

Details

Title: Subtitle: Saecred: A State-Aware, Over-the-Air Protocol Testing Approach for Discovering Parsing Bugs in SAE Handshake Implementations of COTS Wi-Fi Access Points
Creators: Muhammad Daniyal Pirwani Dar - Stony Brook University
Rob Lorch - University of Iowa
Aliakbar Sadeghi - Stony Brook University
Vincenzo Sorcigli - Stony Brook University
Heloise Gollier - KU Leuven
Cesare Tinelli - University of Iowa
Mathy Vanhoef - KU Leuven
Omar Chowdhury - Stony Brook University
Resource Type: Conference proceeding
Publication Details: Proceedings - IEEE Symposium on Security and Privacy, pp.3691-3709
Series: IEEE Symposium on Security and Privacy
DOI: 10.1109/SP61157.2025.00211
ISSN: 1081-6011
eISSN: 2375-1207
Publisher: IEEE
Language: English
Date published: 05/12/2025
Academic Unit: Computer Science
Record Identifier: 9984833492302771

Metrics

14 Record Views

1 Times Cited - Web of Science

See more details