pith. sign in

arxiv: 2511.17283 · v2 · submitted 2025-11-21 · 💻 cs.CR

ThreadFuzzer: Fuzzing Framework for Thread Protocol

Ilja Siro\v{s} , Jakob Heirwegh , Dave Singel\'ee , Bart Preneel This is my paper

Pith reviewed 2026-05-17 20:30 UTC · model grok-4.3

classification 💻 cs.CR
keywords fuzzingThread protocolOpenThreadIoT securityMLE layervulnerability discoverymesh networking
0
0 comments X

The pith

ThreadFuzzer is the first dedicated fuzzing framework for Thread protocol implementations and uncovers five new vulnerabilities in OpenThread.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces ThreadFuzzer as a fuzzing framework for the Thread protocol used in IoT mesh networks. It manipulates packets at the MLE layer to test both virtual OpenThread nodes and physical devices. Multiple strategies including random, coverage-based, and a new TLV Inserter are used. Evaluation found five unknown vulnerabilities, some reproduced on commercial devices, and it compared well to AFL++.

Core claim

ThreadFuzzer is presented as the first dedicated fuzzing framework for Thread protocol implementations. By manipulating packets at the MLE layer with strategies such as Random, Coverage-based, and TLV Inserter, it enables testing of virtual and physical devices. Applied to OpenThread, it uncovered five previously unknown vulnerabilities, several reproduced on commercial devices, and benchmarked favorably against AFL++.

What carries the argument

The MLE layer packet manipulation using Random, Coverage-based, and TLV Inserter strategies to fuzz Thread protocol messages.

Load-bearing premise

The assumption that MLE layer packet manipulation with the given strategies sufficiently exposes relevant vulnerabilities in Thread implementations.

What would settle it

A test showing that ThreadFuzzer finds no new vulnerabilities in OpenThread or that discovered issues do not reproduce on commercial devices would falsify the effectiveness claim.

Figures

Figures reproduced from arXiv: 2511.17283 by Bart Preneel, Dave Singel\'ee, Ilja Siro\v{s}, Jakob Heirwegh.

Figure 1
Figure 1. Figure 1: The illustration of the ThreadFuzzer. The steps shown in the figure outline the fuzzing flow for one packet. The figure is adapted from [ [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Comparison of Random and Coverage-based Grey-box fuzzers from CovFuzz. 5.3. Comparing ThreadFuzzer with an AFL++- based oracle Since ThreadFuzzer is the first framework capable of fuzzing Thread targets, no prior work exists for direct comparison. However, because OpenThread is actively tested using the OSS-Fuzz framework [9], it is reason￾able to compare ThreadFuzzer against the fuzzing setup currently em… view at source ↗
Figure 4
Figure 4. Figure 4: Comparison of Random fuzzer and TLV inserter. 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 NUMBER OF FUZZING ITERATIONS 30000 32500 35000 37500 40000 42500 45000 47500 50000 OT-MTD COVERAGE NO FUZZING RANDOM FUZZER (k=2) GREY-BOX FUZZER (β=3, k=2) BLACK-BOX FUZZER (β=5, k=2) TLV INSERTER (k=2, γ=1.0) [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Comparison of fuzzers on the OT-MTD target. [PITH_FULL_IMAGE:figures/full_fig_p009_5.png] view at source ↗
read the original abstract

With the rapid growth of IoT, secure and efficient mesh networking has become essential. Thread has emerged as a key protocol, widely used in smart-home and commercial systems, and serving as a core transport layer in the Matter standard. This paper presents ThreadFuzzer, the first dedicated fuzzing framework for systematically testing Thread protocol implementations. By manipulating packets at the MLE layer, ThreadFuzzer enables fuzzing of both virtual OpenThread nodes and physical Thread devices. The framework incorporates multiple fuzzing strategies, including Random and Coverage-based fuzzers from CovFuzz, as well as a newly introduced TLV Inserter, designed specifically for TLV-structured MLE messages. These strategies are evaluated on the OpenThread stack using code-coverage and vulnerability-discovery metrics. The evaluation uncovered five previously unknown vulnerabilities in the OpenThread stack, several of which were successfully reproduced on commercial devices that rely on OpenThread. Moreover, ThreadFuzzer was benchmarked against an oracle AFL++ setup using the manually extended OSS-Fuzz harness from OpenThread, demonstrating strong effectiveness. These results demonstrate the practical utility of ThreadFuzzer while highlighting challenges and future directions in the wireless protocol fuzzing research space.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript presents ThreadFuzzer, the first dedicated fuzzing framework for the Thread protocol. It manipulates packets at the MLE layer using Random and Coverage-based strategies from CovFuzz, along with a newly introduced TLV Inserter tailored to TLV-structured MLE messages. The framework supports fuzzing of both virtual OpenThread nodes and physical Thread devices. Evaluation on the OpenThread stack using code-coverage and vulnerability-discovery metrics uncovered five previously unknown vulnerabilities, several of which were reproduced on commercial devices relying on OpenThread. The framework is also benchmarked against an AFL++ oracle setup using a manually extended OSS-Fuzz harness, demonstrating strong effectiveness.

Significance. If the central claims hold, this work fills an important gap in protocol-level fuzzing for wireless mesh networks, particularly Thread as a core transport in the Matter standard. The discovery of five new vulnerabilities in OpenThread with reproduction on commercial hardware provides concrete evidence of practical utility. The TLV Inserter represents a protocol-specific innovation, and the comparison to AFL++ strengthens the evaluation. These elements position the paper as a useful contribution to IoT security testing.

major comments (2)
  1. [Evaluation] The claim that several vulnerabilities were successfully reproduced on commercial devices is load-bearing for the assertion of practical utility beyond simulation. However, the manuscript lacks specific details on the physical interface used for injection, the topology or device configuration, and the verification steps confirming that the same mutated MLE packets trigger identical behaviors on hardware as in the simulator (see Evaluation section and abstract).
  2. [Methodology] The central claim that MLE-layer manipulation with Random, Coverage-based, and TLV Inserter strategies is sufficient to expose relevant vulnerabilities rests on the assumption that these reach security-critical states. The evaluation relies on code-coverage and vulnerability-discovery metrics, but without response modeling, topology simulation, or explicit discussion of coverage of key exchange/commissioning or mesh routing logic, it is unclear whether the five issues represent exploitable flaws or shallower crashes (see Methodology and Evaluation sections).
minor comments (2)
  1. The abstract mentions 'CovFuzz' without a citation or brief description of its relation to the current work; adding this would improve clarity for readers unfamiliar with the prior framework.
  2. Tables or figures reporting benchmark results against AFL++ should explicitly define the metrics (e.g., unique crashes, coverage percentage) and include error bars or multiple runs if applicable.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their thorough review and constructive feedback on our manuscript. We address each of the major comments below and indicate the revisions we plan to make.

read point-by-point responses

  1. Referee: [Evaluation] The claim that several vulnerabilities were successfully reproduced on commercial devices is load-bearing for the assertion of practical utility beyond simulation. However, the manuscript lacks specific details on the physical interface used for injection, the topology or device configuration, and the verification steps confirming that the same mutated MLE packets trigger identical behaviors on hardware as in the simulator (see Evaluation section and abstract).

    Authors: We agree that providing more specific details would strengthen the presentation of our hardware reproduction results. In the revised manuscript, we will include additional information in the Evaluation section detailing the physical interface used for packet injection on commercial devices, the specific topology and device configurations employed, and the steps taken to verify that the mutated MLE packets produce the same behaviors on hardware as observed in the simulator. This will better support the claim of practical utility. revision: yes

  2. Referee: [Methodology] The central claim that MLE-layer manipulation with Random, Coverage-based, and TLV Inserter strategies is sufficient to expose relevant vulnerabilities rests on the assumption that these reach security-critical states. The evaluation relies on code-coverage and vulnerability-discovery metrics, but without response modeling, topology simulation, or explicit discussion of coverage of key exchange/commissioning or mesh routing logic, it is unclear whether the five issues represent exploitable flaws or shallower crashes (see Methodology and Evaluation sections).

    Authors: Our fuzzing approach targets the MLE layer because it handles critical aspects of Thread network formation, security, and routing. The five vulnerabilities discovered include issues such as improper handling of malformed TLVs that could lead to denial-of-service or other impacts, as confirmed by our analysis. We did not include full response modeling or topology simulation in this initial framework to focus on demonstrating the effectiveness of MLE-specific fuzzing strategies. In the revised manuscript, we will add explicit discussion in the Methodology and Evaluation sections about the coverage of key protocol logic through MLE interactions and clarify the nature of the discovered issues based on our manual verification. We believe these are not merely shallow crashes but represent meaningful flaws in the implementation. revision: partial

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper introduces ThreadFuzzer as a new fuzzing framework and evaluates it empirically on OpenThread using external code-coverage tools plus physical device reproduction. No equations, fitted parameters, self-definitional constructs, or load-bearing self-citations appear in the derivation or claims. The central results (vulnerability discovery and benchmarking) rest on independent metrics and external reproduction rather than reducing to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on standard fuzzing assumptions and the effectiveness of MLE-layer manipulation; no free parameters, new physical entities, or ad-hoc axioms are introduced in the abstract.

axioms (1)
  • domain assumption Code coverage and vulnerability discovery metrics are reliable indicators of fuzzing effectiveness for protocol implementations.
    Used to evaluate the Random, Coverage-based, and TLV Inserter strategies on OpenThread.

pith-pipeline@v0.9.0 · 5515 in / 1320 out tokens · 30156 ms · 2026-05-17T20:30:17.857985+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

42 extracted references · 42 canonical work pages

  1. [1]

    Q2 2025

    T. Group, “Q2 2025.” https://www.threadgroup.org/Newsroom/ Newsletters/q2-2025, 2025. [Online; accessed 30-October-2025]

    work page 2025

  2. [2]

    OpenThread

    Google, “OpenThread.” https://openthread.io/, 2025. [Online; ac- cessed 30-October-2025]

    work page 2025

  3. [3]

    Covfuzz: Coverage-based fuzzer for 4g&5g protocols,

    I. Siro ˇs, D. Singel ´ee, and B. Preneel, “Covfuzz: Coverage-based fuzzer for 4g&5g protocols,” in2025 IEEE 10th European Sym- posium on Security and Privacy (EuroS&P), pp. 737–754, IEEE, 2025

    work page 2025

  4. [4]

    Google Bug Hunters

    Google, “Google Bug Hunters.” https://bughunters.google.com/. [Online; accessed 30-October-2025]

    work page 2025

  5. [5]

    What is Matter?

    Google, “What is Matter?.” https://developers.home.google.com/ matter/overview. [Online; accessed 30-October-2025]

    work page 2025

  6. [6]

    What is Thread?

    Google, “What is Thread?.” https://openthread.io/guides/ thread-primer. [Online; accessed 30-October-2025]

    work page 2025

  7. [7]

    Node Roles and Types

    Google, “Node Roles and Types.” https://openthread.io/guides/ thread-primer/node-roles-and-types. [Online; accessed 30- October-2025]

    work page 2025

  8. [8]

    OpenThread Network Simulator

    Google, “OpenThread Network Simulator.” https://github.com/ openthread/ot-ns, 2025. [Online; accessed 30-October-2025]

    work page 2025

  9. [9]

    OSS-Fuzz - continuous fuzzing for open source soft- ware

    Google, “OSS-Fuzz - continuous fuzzing for open source soft- ware..” https://github.com/google/oss-fuzz, 2025. [Online; accessed 30-October-2025]

    work page 2025

  10. [10]

    An empirical study of the reliability of unix utilities,

    B. P. Miller, L. Fredriksen, and B. So, “An empirical study of the reliability of unix utilities,”Commun. ACM, vol. 33, p. 32–44, Dec. 1990

    work page 1990

  11. [11]

    Technical

    M. Zalewski, “Technical ”whitepaper” for afl-fuzz.” https:// lcamtuf.coredump.cx/afl/technical details.txt. [Online; accessed 30-October-2025]

    work page 2025

  12. [12]

    AFL++: Com- bining incremental steps of fuzzing research,

    A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse, “AFL++: Com- bining incremental steps of fuzzing research,” in14th USENIX Workshop on Offensive Technologies (WOOT 20), USENIX Asso- ciation, Aug. 2020

    work page 2020

  13. [13]

    What you corrupt is not what you crash: Challenges in fuzzing embedded devices,

    M. Muench, J. Stijohann, F. Kargl, A. Francillon, and D. Balzarotti, “What you corrupt is not what you crash: Challenges in fuzzing embedded devices,” inNetwork and Distributed System Security Symposium, 2018

    work page 2018

  14. [14]

    Aflnet: A greybox fuzzer for network protocols,

    V . Pham, M. B ¨ohme, and A. Roychoudhury, “Aflnet: A greybox fuzzer for network protocols,” inProceedings of the 13rd IEEE International Conference on Software Testing, Verification and Validation : Testing Tools Track, 2020

    work page 2020

  15. [15]

    Stateafl: Greybox fuzzing for stateful network servers,

    R. Natella, “Stateafl: Greybox fuzzing for stateful network servers,” Empirical Software Engineering, vol. 27, no. 191, 2022

    work page 2022

  16. [16]

    Large language model guided protocol fuzzing,

    R. Meng, M. Mirchev, M. B ¨ohme, and A. Roychoudhury, “Large language model guided protocol fuzzing,” inProceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS), 2024

    work page 2024

  17. [17]

    Libaflstar: Fast and state-aware protocol fuzzing,

    C. Daniele, T. Bethe, M. Maugeri, A. Continella, and E. Poll, “Libaflstar: Fast and state-aware protocol fuzzing,” inProceedings of the European Symposium on Research in Computer Security (ESORICS), September 2025

    work page 2025

  18. [18]

    Stateful greybox fuzzing,

    J. Ba, M. B ¨ohme, Z. Mirzamomen, and A. Roychoudhury, “Stateful greybox fuzzing,” in31st USENIX Security Symposium (USENIX Security 22), (Boston, MA), pp. 3255–3272, USENIX Association, Aug. 2022

    work page 2022

  19. [19]

    libFuzzer – a library for coverage-guided fuzz testing

    LLVM Project, “libFuzzer – a library for coverage-guided fuzz testing.” https://llvm.org/docs/LibFuzzer.html. [Online; accessed 30-October-2025]

    work page 2025

  20. [20]

    Sweyntooth: unleashing mayhem over bluetooth low en- ergy,

    M. E. Garbelini, C. Wang, S. Chattopadhyay, S. Sun, and E. Kur- niawan, “Sweyntooth: unleashing mayhem over bluetooth low en- ergy,” inProceedings of the 2020 USENIX Conference on Usenix Annual Technical Conference, USENIX ATC’20, (USA), USENIX Association, 2020

    work page 2020

  21. [21]

    Frankenstein: Advanced wireless fuzzing to exploit new bluetooth escalation targets,

    J. Ruge, J. Classen, F. Gringoli, and M. Hollick, “Frankenstein: Advanced wireless fuzzing to exploit new bluetooth escalation targets,” in29th USENIX Security Symposium (USENIX Security 20), pp. 19–36, USENIX Association, Aug. 2020

    work page 2020

  22. [22]

    BrakTooth: Causing havoc on bluetooth link manager via directed fuzzing,

    M. E. Garbelini, V . Bedi, S. Chattopadhyay, S. Sun, and E. Kurni- awan, “BrakTooth: Causing havoc on bluetooth link manager via directed fuzzing,” in31st USENIX Security Symposium (USENIX Security 22), (Boston, MA), pp. 1025–1042, USENIX Association, Aug. 2022

    work page 2022

  23. [23]

    Stateful black-box fuzzing of bluetooth devices using automata learning,

    A. Pferscher and B. K. Aichernig, “Stateful black-box fuzzing of bluetooth devices using automata learning,” inNASA Formal Methods(J. V . Deshmukh, K. Havelund, and I. Perez, eds.), (Cham), pp. 373–392, Springer International Publishing, 2022

    work page 2022

  24. [24]

    L2fuzz: Discovering bluetooth l2cap vulnerabilities using stateful fuzz testing,

    H. Park, C. K. Nkuba, S. Woo, and H. Lee, “L2fuzz: Discovering bluetooth l2cap vulnerabilities using stateful fuzz testing,” in2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 343–354, 2022

    work page 2022

  25. [25]

    Btfuzzer: A profile- based fuzzing framework for bluetooth protocols,

    M. Jang, Y . Hwang, Y . Kwon, and H. Kim, “Btfuzzer: A profile- based fuzzing framework for bluetooth protocols,” inInformation Security and Cryptology – ICISC 2023(H. Seo and S. Kim, eds.), (Singapore), pp. 20–38, Springer Nature Singapore, 2024

    work page 2023

  26. [26]

    Greyhound: Di- rected Greybox Wi-Fi Fuzzing,

    M. Garbelini, C. Wang, and S. Chattopadhyay, “Greyhound: Di- rected Greybox Wi-Fi Fuzzing,”IEEE Transactions on Dependable and Secure Computing, vol. PP, pp. 1–1, 08 2020

    work page 2020

  27. [27]

    Owfuzz: Discovering wi-fi flaws in modern devices through over-the-air fuzzing,

    H. Cao, L. Huang, S. Hu, S. Shi, and Y . Liu, “Owfuzz: Discovering wi-fi flaws in modern devices through over-the-air fuzzing,” in Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’23, (New York, NY , USA), p. 263–273, Association for Computing Machinery, 2023

    work page 2023

  28. [28]

    A framework to test and fuzz wi-fi devices,

    D. Schepers, M. Vanhoef, and A. Ranganathan, “A framework to test and fuzz wi-fi devices,” inProceedings of the 14th ACM Con- ference on Security and Privacy in Wireless and Mobile Networks, WiSec ’21, (New York, NY , USA), p. 368–370, Association for Computing Machinery, 2021

    work page 2021

  29. [29]

    Touching the Untouch- ables: Dynamic Security Analysis of the LTE Control Plane,

    H. Kim, J. Lee, L. Eunkyu, and Y . Kim, “Touching the Untouch- ables: Dynamic Security Analysis of the LTE Control Plane,” in Proceedings of the IEEE Symposium on Security & Privacy (SP), IEEE, May 2019

    work page 2019

  30. [30]

    Berserker: ASN.1-based Fuzzing of Radio Resource Control Protocol for 4G and 5G,

    S. Potnuru and P. K. Nakarmi, “Berserker: ASN.1-based Fuzzing of Radio Resource Control Protocol for 4G and 5G,” in2021 17th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp. 295–300, 2021

    work page 2021

  31. [31]

    U-fuzz: Stateful fuzzing of iot protocols on cots devices,

    Z. Shang, M. E. Garbelini, and S. Chattopadhyay, “U-fuzz: Stateful fuzzing of iot protocols on cots devices,” in2024 IEEE Conference on Software Testing, Verification and Validation (ICST), 2024

    work page 2024

  32. [32]

    Z-fuzzer: device- agnostic fuzzing of zigbee protocol implementation,

    M. Ren, X. Ren, H. Feng, J. Ming, and Y . Lei, “Z-fuzzer: device- agnostic fuzzing of zigbee protocol implementation,” inProceed- ings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’21, (New York, NY , USA), p. 347–358, Association for Computing Machinery, 2021

    work page 2021

  33. [33]

    Intelligent zigbee protocol fuzzing via constraint-field dependency inference,

    M. Ren, H. Zhang, X. Ren, J. Ming, and Y . Lei, “Intelligent zigbee protocol fuzzing via constraint-field dependency inference,” inComputer Security – ESORICS 2023(G. Tsudik, M. Conti, K. Liang, and G. Smaragdakis, eds.), (Cham), pp. 467–486, Springer Nature Switzerland, 2024

    work page 2023

  34. [34]

    Llmif: Augmented large language model for fuzzing iot devices,

    J. Wang, L. Yu, and X. Luo, “Llmif: Augmented large language model for fuzzing iot devices,” in2024 IEEE Symposium on Security and Privacy (SP), (Los Alamitos, CA, USA), pp. 881– 896, IEEE Computer Society, may 2024

    work page 2024

  35. [35]

    On the security of thread networks: Experimentation with openthread-enabled de- vices,

    D.-G. Akestoridis, V . Sekar, and P. Tague, “On the security of thread networks: Experimentation with openthread-enabled de- vices,” inProceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’22, (New York, NY , USA), p. 233–244, Association for Computing Machinery, 2022

    work page 2022

  36. [36]

    Symbolic verification of mesh commissioning protocol of thread,

    P. Upadhyay, S. Sharma, and G. Bai, “Symbolic verification of mesh commissioning protocol of thread,” inProceedings of the 17th Innovations in Software Engineering Conference, ISEC ’24, (New York, NY , USA), Association for Computing Machinery, 2024

    work page 2024

  37. [37]

    Towards Automated Fuzzing of 4G/5G Protocol Implemen- tations Over the Air,

    M. E. Garbelini, Z. Shang, S. Chattopadhyay, S. Sun, and E. Kurni- awan, “Towards Automated Fuzzing of 4G/5G Protocol Implemen- tations Over the Air,” inIEEE Global Communications Conference, GLOBECOM 2022, Rio de Janeiro, Brazil, December 4-8, 2022, pp. 86–92, IEEE, 2022

    work page 2022

  38. [38]

    OpenThread Border Router

    Google, “OpenThread Border Router.” https://github.com/ openthread/ot-br-posix, 2025. [Online; accessed 30-October- 2025]

    work page 2025

  39. [39]

    [Online; accessed 30-October- 2025]

    Connectivity Standards Alliance, “Matter.” https://github.com/ project-chip/connectedhomeip. [Online; accessed 30-October- 2025]

    work page 2025

  40. [40]

    Wireshark: The world’s most popular network proto- col analyzer

    Wireshark, “Wireshark: The world’s most popular network proto- col analyzer.” https://www.wireshark.org/. [Online; accessed 30- October-2025]

    work page 2025

  41. [41]

    nRF52840 DK

    NRF, “nRF52840 DK.” https://www.nordicsemi.com/Products/ Development-hardware/nRF52840-DK. [Online; accessed 30- October-2025]

    work page 2025

  42. [42]

    OpenThread fuzzing harness

    Google, “OpenThread fuzzing harness.” https://github.com/ openthread/openthread/blob/thread-reference-20230706/tests/fuzz/ radio receive done.cpp. [Online; accessed 30-October-2025]. Appendix A. Data Availability To ensure transparency and reproducibility of the results presented in this work, the fuzzing framework together with the presented data is publ...

    work page 2025